Dangers of Sharing via a Public Link and Safer Alternatives

One of the substantial advantages of Google Docs and Sheets over traditional Microsoft products is the ease of document sharing and collaboration. Nowadays, practically everyone has a Google account, making document sharing simple.

However, if you don’t know the person’s email, are dealing with multiple people, or need to continually manage access, it’s much more convenient to share via a “secret” link. This method is incredibly enticing and convenient.

Sharing a document via a public link
Sharing a document via a public link

In this post, we’ll discuss why you should resist this temptation and explore alternative approaches.

Before we dive in, let’s understand why link sharing is problematic: it grants unlimited read (or write) access to anyone possessing the link. The data is protected solely by the “secrecy” of the link, a practice known as “security by obscurity,” which is highly discouraged. Here’s a non-exhaustive list of ways this “secret” link can leak:

  1. By mistake: Someone could email this link, screenshot it, record an explainer video, etc.
  2. Search engines could index it: Over the years, numerous instances have occurred.
  3. Disgruntled employees/colleagues: They could maliciously share the link.
  4. Hackers: They could retrieve the link from another compromised system.

I’ve personally witnessed at least a dozen of instances where the link was no longer a secret, often resulting in the malicious use of the data. This risk is far from theoretical.

If you use Google Workspace, I’d even recommend prohibiting public sharing, unless absolutely necessary.

The consequences of sharing via a link:

  1. Uncontrolled Access: By design, anyone with the link can view the document and you nether control nor know who has access.
  2. Inability to Revoke Access: You cannot remove access from a specific individual without removing it from everyone. For instance, when an employee leaves the company, you’d likely want to revoke their access to company data. You can’t do this with shared links; it’s an all-or-nothing deal. You can’t change the link either; this requires creating a new document, closing access to the old one, opening access to the new one, and distributing the new link.
  3. Unauthorized Access: Individuals may stumble upon the link or intentionally seek it out.
  4. Activity Log Ineffectiveness: If you use Google Workspace, the document’s activity log will not be helpful.
  5. Reputational Damage: Clients, colleagues, and employees may react negatively to data leaks. Even the perception of poor practice can be damaging to a company’s reputation.
  6. Compromised Security Culture: By tolerating link sharing, you’re endorsing lax security practices, fostering a potentially harmful culture. If security can be compromised here, what other shortcuts are being taken?
  7. Legal Implications: Data protection laws set certain standards for data protection. Public sharing is generally not one of them. This is not legal advice.

Is There a Place for It?

The only valid case for link sharing is when you’re comfortable with the entire world viewing the document. This includes everyone from friends and employees to competitors and authorities. For instance, you might choose to make instruction manuals, price lists, or event schedules public.

Conversely, if there’s anyone you wouldn’t want viewing the document, avoid link sharing. While it may seem fine 99% of the time, it’s that 1% that could be problematic. Especially when there are reliable alternatives available.

Now, let’s examine common scenarios where link sharing is convenient and explore the alternatives.

You Don’t Know the Email Addresses of the People Who Need Access

In this case, you either need to obtain the email addresses or instruct people to request document access. Then, you’ll need to grant the access. While this isn’t the most convenient approach, it’s safer than link sharing.

As the document owner, you’ll receive access requests in your email, streamlining the process:

Request for access that arrives at the owner's email
Request for access that arrives at the owner’s email

Multiple People Need Access to the Same Set of Documents

Here, you have three alternatives:

  1. Folder Sharing: Put the documents in one folder and share it with the necessary individuals. While low-tech, it’s effective when used wisely.

  2. Google Groups: If the list of people needing access remain constant, you can create a group and share the documents with that group. Group members will have access as long as they remain in the group. Google Groups are available to all Google account users for free.

    Managing access with Google Groups
    Managing access with Google Groups
  3. Organization-Wide Sharing: If you use Google Workspace, you can share the document with your entire organization (domain). While not the most flexible approach, it addresses many common use cases.

    Domain-wide access to documents
    Domain-wide access to documents for Google Workspace users

You Need to Manage Diverse Access Levels for Different Groups of People

Google Groups shine in this scenario: you can create multiple groups for various access levels. When someone joins the team, you only need to add them to the relevant groups. Similarly, when someone leaves, you don’t have to track every document they had access to; simply remove them from the corresponding groups. This greatly simplifies access management.

Sharing a document via a link is as risky as it is convenient. While it may seem harmless in most cases, its potential repercussions and risks outweigh the benefits, except in specific situations. Particularly when there are robust alternatives, including using Google Groups .