Google Docs Security: How secure are Google Docs?
Why Google Docs is not secure. How users can bypass controls & how to add extra security.
Google Docs and other online document security platforms use JavaScript to enforce their printing and editing controls. But how effective is this method, and is it suitable for confidential business documents?
By this point, most people in the western world have either heard of or used Google Docs. It’s used extensively both privately and by businesses, who value the ability for employees to access and edit their documents from anywhere. This convenience, however, comes at a cost. While its user experience is certainly ready for the enterprise, Google Docs’ security is more questionable.
Is Google Docs secure?
Is Google Docs secure?
Google Docs is excellent for collaboration, but it isn’t particularly secure. It shouldn’t be used for confidential information, whether that’s content under embargo, an unpublished financial report, board meeting minutes, etc.
In theory, you can protect documents in Google Docs to stop users from sharing, downloading, printing or copying, and add an expiration date to give access for a limited time period. In practise however this protection is trivial to remove. We show you how to do this below in the section How to copy a Google Doc that is protected.
Can you make a Google Doc secure?
Can you make a Google Doc secure?
The core issue with Google Docs’ security is that it’s browser-based. Though web apps are certainly convenient, they just don’t have the same level of control over a user’s system as a desktop one. In Google Docs’ case, it’s forced to use JavaScript (just like secure data room systems and other online document sharing solutions) to try to prevent editing, copying/pasting, and printing.
The problem with this is that JavaScript primarily executes this code on the client side – on the user’s own PC. This means that if JavaScript is tampered with or simply turned off using the browser’s developer mode, users can unlock GDocs by bypassing the security controls. We’ll show you exactly how easy this is in a bit.
Okay, so let’s assume the user is not technically-minded enough to play around with their browser’s developer mode. Does Google Docs stop them from leaking documents? Unfortunately, the answer is still no. Why? Because they can simply share their Google password.
Access is granted to a document on an account basis, and accounts are authenticated by a password (and sometimes 2FA, but that can also be shared). The protection is only as secure as the password, and the password is only secure if nobody is willing to share it. There’s no protection against intentional leaks, and even non-technical users will think to screenshot the document.
Watermarks in Secured Docs
Watermarks in Secured Docs
Google Docs’ watermark feature is supposed to provide additional protection for documents. Unfortunately, just like the rest of its security, it is not very effective. A watermark is only a viable protection mechanism if the document’s copy protection cannot be easily bypassed and the watermark is simple to apply at scale. Google Docs’ watermarks fails both of these tests:
- Google Docs watermarks are laughably easy to remove – the user just has to append
/mobilebasicto the end of their URL. They can then screenshot the document or copy and paste the content. - If the user also disables JavaScript, they can convert a Google Doc to PDF with the watermarks removed.
- There is no support for dynamic watermarking. This means that to distribute documents with watermarks that identify the end-user, admins must manually type their details each time.
If you want effective protection, don’t use a Google Docs watermark. Instead, add secure non-removable, and dynamic text and image watermarks using Locklizard. Here’s how to add a confidential watermark to a PDF that is permanent.
Tracking views, edits and changes in Secure Docs
Tracking views, edits and changes in Secure Docs
So, you can’t stop someone from misusing your Google Drive document. But can you at least catch them when they do?
Google Docs does have tracking if you’re a business, enterprise, or education customer, and that data does include their email and IP address. It tracks the viewing, creation, and editing of files, but not the printing or copying/pasting (only creating a new copy of the file).
In theory, then, you could see if users share Google Doc account credentials by checking whether a document has been accessed via a new IP address. In practice, however, this may be difficult. As a cloud-based platform, one of Google Docs’ key advantages is that employees can use it from anywhere. If you have employees who work remotely or while traveling, it’s going to be difficult to distinguish whether an IP address is an employee’s partner’s Wi-Fi or that of an unauthorized party. Sadly, even if you do take the time to establish a list of common IP addresses for each employee, it might not help. The IP address can be shared quite easily using a proxy.
The main issue however, is that as of March 2022, Google allows users to opt out of this tracking and removed the option for admins to force it on. Even if they do not opt out they can copy/paste content into a new doc, or turn a Google doc into a PDF, then that removes the tracking.
In summary, then, you shouldn’t be using Google Docs for document security. It has too many easily accessible security holes and it can’t stop unauthorized viewing, printing, screenshotting, or copy/pasting.
How to copy a Google Doc that is protected
How to copy a Google Doc that is protected
We’ve harped on about how insecure Google Docs is, but the proof, as they say, is in the pudding. Here’s just how easy it is to bypass Google Docs’ copy protection or unlock a GDoc. And, don’t forget: if you can make an unprotected copy of a document, all other security controls are useless.
- Open the Google Doc in your browser and replace the
/editpart of the URL with/mobilebasic.
%22%20transform%3D%22translate(1.2%201.2)%20scale(2.41016)%22%20fill-opacity%3D%22.5%22%3E%3Cellipse%20fill%3D%22%23797979%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-.3626%2021.48266%20-193.51803%20-3.26626%2086%201)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22140%22%20cy%3D%2263%22%20rx%3D%22255%22%20ry%3D%2230%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22169%22%20cy%3D%2269%22%20rx%3D%22255%22%20ry%3D%2233%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
Google will provide you with a pared-down, mobile version of the document. If the document is protected against copying, you’ll notice you still aren’t able to copy and paste it. That’s what the next steps are for. - Press Ctrl + Shift + I on your keyboard to open your browser’s developer mode.
%22%20transform%3D%22translate(1.2%201.2)%20scale(2.41016)%22%20fill-opacity%3D%22.5%22%3E%3Cellipse%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(.90065%20-29.30444%20222.51378%206.83876%20156%2079.6)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22rotate(179.9%2068.4%206.9)%20scale(242.56285%2025.10003)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20cx%3D%22156%22%20cy%3D%227%22%20rx%3D%22254%22%20ry%3D%2223%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
- Press Ctrl + Shift + P, type ‘JavaScript, and click on ‘Disable JavaScript (Debugger).
%27%20fill-opacity%3D%27.5%27%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(.06068%20150.40737%20-599.25782%20.24177%20300.7%20107.7)%22%2F%3E%3Cellipse%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-7.4967%20179.19354%20-598.73414%20-25.04853%20355%20550.2)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22rotate(-178.9%20172.4%2039.7)%20scale(599.25787%20111.72811)%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
- With the developer panel still open, press Ctrl + R or the refresh icon to reload the page. After it has loaded, you will be able to copy and paste its contents and print it.
%27%20fill-opacity%3D%27.5%27%3E%3Cellipse%20fill%3D%22%238c8b87%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-161.91955%20-7.8947%207.93175%20-162.67935%20494.8%20272.3)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(1.29626%20-92.83161%20614.83077%208.58521%20198.7%20598)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(89.59527%20-5.18985%2031.30489%20540.43348%201.3%20358)%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
 | How to turn a protected Google Doc into a PDF & download as unprotected |
If you want to copy the whole document in one go, or download a protected google doc as unprotected, you can save a Google Doc as a PDF instead of copying and pasting the content. The process to turn a Google Doc into a PDF is simple whether printing is enabled or disabled.
How to make a Google Doc a PDF with Watermarks
If printing is enabled, just press Ctrl + P and select a printer (such as Microsoft Print to PDF) from the print menu. Then save the PDF to your local disk (download it) for offline use.
Any watermarks that the creator applied will remain if you use this method.
How to make a Google Doc a PDF without Watermarks
You can use this method whether printing is enabled or disabled. If printing is disabled, this method will enable the print option.
Follow the steps above, in ‘How to copy a Google Doc that is protected‘ by adding /mobilebasic to the URL and disabling JavaScript.
You can then select a PDF printer to convert the Google Doc to PDF with no watermarks and save it locally (download it) for offline use.
How secure is Google Drive?
How secure is Google Drive?
It’s quite clear at this point that Google Docs won’t offer you effective document protection. But what about its sister, Google Drive? Can it stop unauthorized users from viewing and copying documents?
In short, not without additional measures.
Google Drive and Google Docs are part of the same service – if you upload a document to Drive, whether it be a Google Doc, Microsoft Word Doc, or a simple text file, it will open in the Google Docs viewer. It can then be bypassed using the same methods as above: JavaScript manipulation, printing as a PDF, or sharing the account password.
If you want the text documents you upload to Google Drive to be secure, you’ll need to protect them with another solution first.
How to add extra security to a Google Doc or Drive file
How to add extra security to a Google Doc or Drive file
If you want users to be unable to open your document in Google Docs and therefore copy, edit, print, or screenshot it, you’ll have to encrypt it. There are two main options when it comes to encryption: password protection and DRM. Let’s take a look at both.
How to password protect a Google Doc
How to password protect a Google DocMicrosoft Word and Adobe Acrobat allow you to lock a Google Doc with a password before you upload it to Google Drive. Without the password, users will be unable to open the file, the encryption rendering it an unreadable jumble of numbers and letters without a decryption key.
You can password protect a Google Doc in Word by opening it and then pressing ‘File > Info > Protect Document > Encrypt with password’ – see How to lock a Word document. You can protect a PDF with Acrobat by following our dedicated guide.
Why we don’t recommend it
Password security adds an extra layer of protection to the document should an authorized user’s account be compromized via a phishing or other attack. However, it doesn’t do anything to prevent intentional sharing:
- The user can just share the password along with the document link to provide access to the decrypted document.
- Once the user enters the password, the document can be opened in Google Docs, and can easily bypass the security using the Ctrl + P print function, screenshotting, or the copy/paste trick shown above.
There are several other issues with password protection, too:
- You cannot expect users to remember individual passwords for each document. They will end up writing them down in an insecure place.
- Using one password for all documents introduces a single point of failure.
- Storing document passwords in a password manager is likely the best option, but still introduces a single point of failure (a user just needs to know somebody’s master password and they have the keys to your kingdom).
- Creating and managing different passwords for different documents can be time-consuming and frustrating (IT will be inundated with ‘I forgot the password’ calls).
Ultimately, then, password-based encryption methods offer only marginally more protection than Google Docs/Drive’s default protection but introduce a lot of management overhead. You instead need a solution that can both encrypt documents and stop them from being edited once they are decrypted.
Using DRM to lock a Google Doc from editing, printing, and copying
A document DRM solution like Safeguard PDF security will do away with passwords entirely and instead rely on a combination of strong encryption, a transparent licensing system, and a secure viewer application. This breaks the functionality of Google Docs (you’ll only be able to open the document in the secure viewer application) but provides much more effective protection against copying, editing, screenshotting, copy-pasting, and printing. You can also add permanent and dynamic watermarks, set an expiration date that cannot be removed and add tracking of views and prints.
Here’s how it works:
- You protect your PDF documents using Safeguard PDF Security or Enterprise PDF DRM Security.
- You choose what DRM controls you want to apply and how the documents are protected – for all authorized users, as part of a publication (all users authorized to view that publication have access), or documents must be individually assigned to users.
- Protected PDF documents can then be uploaded to Google Drive.
- You can also use Web Publisher to upload the protected PDF files to a cloud server where they are instantly available to authorized users via a browser using Safeguard Web Viewer.
- On the Safeguard Administration system, you create users and assign them access to protected documents and publications. If you are using ecommerce integration then this happens automatically when a user purchases your documents.
- The admin system automatically sends users a welcome email with their registration file and download links to the Secure PDF Viewer software. If you are using Web Publisher, then users will be sent an email with their login details to the Web Viewer-protected document portal.
- Users install the Secure PDF Viewer and click on a link to register with your system.
- Users download and click on a protected PDF document (PDC file) to open it. The protected document is opened in the secure PDF Viewer which enforces the DRM controls you have applied such as stopping printing, applying watermarks, enforcing expiry.
- Protected PDF files are locked to specific devices that you have authorized, so if forwarded, cannot be opened on other computers.
The Web Viewer gives a closer experience to Google Docs while being more secure (users can only log on from a single location and can’t copy save or modify). However, it is still accessed via the browser with a username/password, so we recommend publishing only to the Safeguard Viewer application for sensitive and confidential business documents. We’ll show you how to do so below.
 | How to protect a Google doc from editing, copying, printing, and sharing and track use |
How to create a secure PDF in Google Docs using Locklizard
The PDF encryption and decryption process is made simple with Locklizard Safeguard. You don’t need to worry about creating passwords or key pairs in advance because the licensing system does the heavy lifting for you.
Here’s how you can create a secure PDF in Google Docs by using Safeguard to first DRM protect and encrypt PDF files:
- Right-click your PDF in Windows File Explorer and select “Make Secure PDF”.
- Select the restrictions you’d like to apply, including restricting access after a certain date, which can be found in the “Expiry & Validity” tab. By default, editing, copying, and printing are disabled.
%22%20transform%3D%22translate(1.2%201.2)%20scale(2.41016)%22%20fill-opacity%3D%22.5%22%3E%3Cellipse%20fill%3D%22%23d0d0d0%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-179.96377%2032.3806%20-4.57784%20-25.44254%200%2027.8)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-4.6178%2036.42288%20-151.14307%20-19.16233%20201.1%2070)%22%2F%3E%3Cellipse%20fill%3D%22%23d0d0d0%22%20cx%3D%22242%22%20cy%3D%2223%22%20rx%3D%2230%22%20ry%3D%2216%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
- Press the Publish button to protect the PDF and apply restrictions.
%27%20fill-opacity%3D%27.5%27%3E%3Cellipse%20fill%3D%22%23d1d1d1%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(-109.37506%20-214.2739%20533.74398%20-272.44698%20466%20599)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(325.87005%20-182.2002%20142.33224%20254.5651%20287.8%2086.8)%22%2F%3E%3Cpath%20fill%3D%22%23d1d1d1%22%20fill-opacity%3D%22.5%22%20d%3D%22M9%20621.5L-126.1%20405l145.8-91.1L155%20530.4z%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
On pressing the Publish button, Locklizard will output your encrypted PDF file, which can only be opened by users you give access to in the Safeguard Admin portal. It can’t be edited, and content cannot be copied and pasted. Printing is also blocked by default unless you specifically allow it. - Add new users, and/or select existing users you want to give access to your protected PDF files using the cloud-based Safeguard Admin System:
%27%20fill-opacity%3D%27.5%27%3E%3Cellipse%20fill%3D%22%235bdcb6%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(54.46767%204.35568%20-9.92389%20124.09802%2034.7%2085.6)%22%2F%3E%3Cellipse%20fill%3D%22%23fff%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22rotate(-97.9%20331.9%20205)%20scale(210.57572%20327.95892)%22%2F%3E%3Cpath%20fill%3D%22%23d8d7d8%22%20fill-opacity%3D%22.5%22%20d%3D%22M65.4-54.3l597.8%2041.8-27.8%20397.7-597.8-41.8z%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
- Upload your protected PDF documents to Google Drive or distribute them via any other method. It doesn’t matter who downloads your encrypted PDF files (.PDC files) as only those authorized will be able to view them.
%27%20fill-opacity%3D%27.5%27%3E%3Cellipse%20fill%3D%22%23595959%22%20fill-opacity%3D%22.5%22%20rx%3D%221%22%20ry%3D%221%22%20transform%3D%22matrix(.42814%20-94.20871%2061.96045%20.28158%20292.1%20312.4)%22%2F%3E%3Cpath%20fill%3D%22%23434343%22%20fill-opacity%3D%22.5%22%20d%3D%22M256.6%20217.6H327V392h-70.4z%22%2F%3E%3Cpath%20fill%3D%22%231f1f1f%22%20fill-opacity%3D%22.5%22%20d%3D%22M642.2%20707.4l-679.4-59L133.5%2029.6l128%20381z%22%2F%3E%3C%2Fg%3E%3C%2Fsvg%3E)
Other document security platforms & secure alternatives
Other document security platforms & secure alternatives
Locklizard Safeguard DRM isn’t the only solution to promise better protection than Google Docs. There are various secure document collaboration sites and ‘secure data rooms’ that claim to be able to keep confidential documents safe. In reality, they suffer from all the same flaws as Google Docs/Drive:
- They use passwords/2FA for logins, which can be intentionally or accidentally shared.
- Their in-browser protection relies on JavaScript, which can be bypassed using the browser’s developer mode or third-party add-ons.
- Tracking is of limited use because IP addresses can be shared using proxies.
- The browser cannot prevent printing to PDF or high-quality screenshots.
What you are actually paying for with these solutions is the security of their server space, which is irrelevant if documents can easily be shared or compromised via other means.
Other rights management systems such as Microsoft RMS and Azure rights management also provide document controls to prevent sharing and copying but protection can be removed if the user has been given view access.
The best way to protect your Google Docs files
The best way to protect your Google Docs files
While it’s not as convenient, the best way to protect your Google Doc files is to convert them to PDF and protect them with a PDF DRM solution like Locklizard Safeguard. Only then will you be able to maintain the ability to share outside of your company and internal network without compromising your document’s security.
To improve your Google Docs security and protect Google Docs from unauthorized editing, printing, screenshotting, and misuse, take a 15-day free trial of our PDF DRM software.
FAQs
FAQs
How secure is Google Docs for business?
The business version of Google Docs, available as part of Google Workspace, is not much more secure than its consumer counterpart. Though Google claims a “security-first mindset”, its controls are still easily circumvented.
What Google Workspace does offer is additional tracking tools (which as mentioned can be circumvented via proxy) and additional login in security via a physical security key login option and suspicious login monitoring. However, as the document controls themselves are still browser-based, they can still be bypassed, and information can be extracted and shared that way. That makes the document tracking and logging redundant.
Is sending a Google Doc via Drive link secure?
It’s no more secure than sending the Google Doc link directly, which is not secure at all. Google Drive offers no additional protection over Google Docs and should not be used for confidential or sensitive documents.
Is it a security risk to post links to Google Docs on websites?
It depends on your use case. If you’re sharing content that you want to be freely available, then there is little risk to sharing it as a Google Doc rather than a Word Doc, etc.
If the Google Doc you are linking to contains sensitive information, then allowing anybody with the link to view the document poses a significant risk. They can easily bypass the copy protection and share it. Even if you allow only authorized accounts to access the document, you risk trusted users leaking the document or being compromised by hackers. So, it’s best just to avoid using Google Docs for important documents.
Can you password protect individual files in Google Docs?
Yes, if you password protect a Word document or Adobe PDF and then upload it to Google Docs, the password protection will be honored. However, users can still share that password with others or bypass the protection and extract information. As a result, it’s only suitable if you 100% trust the people you are sharing it with (hint: when it comes to digital security, you should never do this).
Can you lock a Google Doc?
In a manner of speaking. You can require users to have access to a specific account to access a document or password protect it and then upload it. Again, however, this only helps to protect the document against external threats, not internal leaks.
Can you make a copy of a Google Doc without permission?
Yes, if a user has been given access to a Google Doc then they can bypass permissions by using the method described above – ‘How to copy a Google Doc that is protected‘.
Can you save a Google Doc as a PDF?
Yes, you can save or convert a Google Doc to PDF even if printing is disabled. Once a user has been given access to a Google Doc, they can print to PDF by appending the URL with /mobile-basic and disabling javascript – see ‘How to copy a Google Doc that is protected‘. This will enable printing. You can then select a PDF printer (such as Microsoft Print to PDF) to save a Google Doc as a PDF.
Can you download protected Google Docs?
Yes, by saving or converting to a PDF, or by copying and pasting contents into another application. If you follow the instructions in this blog you can remove the protection and do what you want with secure docs.
Can you set an expiration date in Google Docs?
Yes, but users can bypass this by removing the protection.
Can you track if someone copied something from a Google Doc?
No, Google Docs only tracks views, edits and changes.
If users bypass the protection controls and copy/paste to a new document or create a PDF for download, then tracking will no longer be active. So even the tracking of edits, views, and changes can be removed.
What is a secure alternative to Google Docs?
If you only have PDF files to protect and share securely, then Locklizard is the best secure alternative to Google Docs for confidential and sensitive business documents. We don’t use insecure passwords, plugins or JavaScript, to protect your documents so the security cannot be easily stripped. Documents are locked to devices so they cannot be shared, and all key management is handled securely and transparently. Documents cannot be copied, edited, screengrabbed or printed, and security settings are enforced for both online and offline files. You can automatically expire documents and instantly revoke access regardless of their location.
Can you stop Google Docs printing to PDF?
No. If you allow printing then users can print to PDF files. If you don’t allow printing then users can bypass the security and print to PDF.
ABOUT US
CONTACT
