G Suite is Google’s comprehensive collection of collaboration tools and cloud storage, which includes Gmail, Hangouts, Calendar, Drive, Docs, and a host of other apps and features, making it popular and widely used in education and the enterprise world, including by journalists and media outlets such as The New York Times, The Guardian, The Wall Street Journal, and other big names.
But given both the nature of Google and of journalism – the former’s track record with data security and privacy and the latter’s professional need for it – the question becomes: should newsrooms be using G Suite at all? Can journalists hold the government and big tech corporations such as Google to account if those entities have access to all of their data and documents?
Freedom of the Press Foundation (FPF), a non-profit, is trying to answer this question in a post that breaks down various elements of G Suite, the way they function, and the way that may reflect on the ability of journalists to do their work and the integrity of their data.
For one thing, FPF points out: data created and exchanged using G Suite is not end-to-end encrypted, which allows Google – and others, such as a US government agency, to gain access to it. At the same time, G Suite “also offers organizations powerful tools to monitor and retain information about their employees’ activities.” The recommendation is to be aware of the risks and consider using fully encrypted alternatives if you work with sensitive data, which is not only exchanged but also stored on Google servers.
Furthermore, while on the one hand, Google says it’s not putting G Suite data to work for advertising purposes like it does with that harvested from other services, it still reads and uses that information. According to the tech giant, this is done to detect spam and malware, and also for “spellcheck and assisting with search within a user’s Google account.”
As the FPF blog post observes, this sometimes means that legitimate work of journalists gets flagged as breaking Google’s rules – and sometimes journalists find themselves locked out of their own documents on GDocs for no apparent reason.
Has anyone had @googledocs lock you out of a doc before? My draft of a story about wildlife crime was just frozen for violating their TOS.
— Rachael Bale (@Rachael_Bale) October 31, 2017
Google also promises physical safety of data stored in their data centers, and limited access by employees – but, FPF said, it’s unknown how many employees have access, nor to what kind of data and for what reason – including when this access is required by law.
Speaking of which – the article mentions the 2012 case of New York Times journalist David Sanger, whose communication on Gmail with his source for a story on the US-Israeli government designed Stuxnet malware was revealed by Google on the order of a US court. The long and the short of it is that, yes – the US government can, and does ask Google to hand over user data. Last year, Google received 43,683 such requests covering 124,991 accounts and complied in 81 percent of the cases.
G Suite accounts for media outlets are managed by the companies who own them, and another question to keep in mind if you’re a journalist using these tools is this: what level of access to your data does the account administrator have?
G Suite Enterprise, for example, gives administrators pretty much full access: to email and document content and metadata, including IP addresses, along with the right to retain data, as well as dates and authors of any and all modifications made to documents. Administrators can also do a spot of surveillance by receiving push notifications for “suspicious behavior” – this is meant to serve as an anti-hacking measure, but the possibilities are broader.
One “fun example” the FPF mentions here is that administrators can, if they want to, “keep draft copies of emails, even after the email is removed from the draft folder.”
One rule of thumb mentioned in the article is that it’s a good bet everything a user can access and see is also visible and accessible to their administrator – so the tip would be to behave with this in mind. And while the final product of a reporter’s work will become public anyway – the process is not meant to be, especially if sources need to be protected.
Journalists of all people should know, but it still bears repeating: information is power, so G Suite users should find out which version of the service they are running, and what kind of configuration their administrator has put in place in terms of access and data retention.
And as ever, it’s worth considering alternatives that offer proper security through end-to-end encryption and full data privacy, especially if these are of vital importance to a journalist’s work. Other times, FPF said, data may need to be kept off the cloud and stored locally – or “off a computer entirely.”