Some users' private documents were accidentally shared with other users on the internet without the owners' consent after a glitch at Google over the weekend.
Google confirmed Monday that some users of the Google Docs service did receive a note from Google Friday informing them of the breach.
'If someone of the scale of Google has serious security problems in their sharing system, it underscores that you have to be exceedingly careful.' — Ann Cavoukian, Ontario privacy commissioner
The email said Google had "identified and fixed a bug which may have caused you to share some of your documents without your knowledge," and it listed the affected documents.
A very similar message was posted Saturday morning on the Google Docs blog by product manager Jennifer Mazzon.
Google Docs is a service that lets people create documents such as letters, spreadsheets and presentations using online software supplied by Google. The documents are stored on a Google server instead of the user's own hard drive, so they can be accessed from multiple computers. Users have the option of sharing their documents with certain other users, and can control their sharing settings.
Google said the unauthorized sharing over the weekend:
- Was limited to people with whom the user had previously shared a document.
- Included documents and presentations, but not spreadsheets.
- Only occurred if the user or a collaborator with sharing rights chose multiple documents and presentations from the documents list and changed the sharing permissions.
Less than 0.05 per cent affected
Google said less than 0.05 per cent of documents stored using Google Docs were affected.
For those, the company removed all collaborators and viewers from the affected documents, and said they would have to be restored manually.
"We apologize for the inconvenience that this issue may have caused," the email to affected users said. "We want to assure you that we are treating this issue with the highest priority."
Google Docs is part of a growing phenomenon called cloud computing, in which software applications and data are stored on and accessed from servers on the internet rather than the user's own computer.
Ontario Privacy Commissioner Ann Cavoukian, who has been studying the issues raised by the growth of cloud computing over the past year, said the incident illustrates the level of trust that users must have in their supplier of cloud computing services.
She noted that most users would assume that Google would have very strong privacy protection in place.
"If someone of the scale of Google has serious security problems in their sharing system, it underscores that you have to be exceedingly careful," Cavoukian said.
But her criticism of Google was measured.
"Everybody makes mistakes, and I get that."
She said Google deserves credit for confessing right away and immediately fixing the problem, but added: "Every individual has to be the judge as to whether they think that's sufficient or not."
Cavoukian's office has been working on tools to help users of cloud computing safeguard privacy.