Many people store documents, photos, videos, and other files online. In doing so, they expect those files to remain private and secure unless they choose to share them. But a glitch that affected some Google Photos users shows that private, cloud-based files can be vulnerable unless precautions are taken.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic Premium)
On Monday, Google sent emails to certain Google Photos users alerting them of a problem that affected them in late November 2019, as described by 9to5Google. For some Google Photos users who turned to Google Takeout between November 21 and 25 to download their data, one or more of their videos were “incorrectly exported to unrelated users’ archives,” meaning that other people were able to see them. On the flip side, some Google Photos users who requested a download of their files received the videos of other users.
Screenshots of the emails from Google were posted on Twitter by Duo Security founder and Chief Technology Officer Jon Oberheide, whose initial comment was “Whoa, what, @googlephotos?” Oberheide asked Google for more information on which and how many videos were impacted and how many parties received them. In response, Google said: “Unfortunately, we’re not able to provide a full list of impacted videos.”
Sharing further details, Google said that less than 0.01% of Photos users attempting Takeouts were affected, and no other product was affected. But in July 2019, Google revealed that its Photos service had signed up more than a billion users, according to a story in Fast Company, so the number of people affected by this glitch is not insignificant.
Google added that it has since fixed the issue and conducted an analysis to help stop this from happening again. As a resolution, affected users are urged to delete the latest export to remove any videos from other users and perform a new export of their Google Photos content.
“We are notifying people about a bug that may have affected users who used Google Takeout to export their Google Photos content between November 21 and November 25,” Google said in a statement. “These users may have received either an incomplete archive, or videos—not photos—that were not theirs. We fixed the underlying issue and have conducted an in-depth analysis to help prevent this from ever happening again. We are very sorry this happened.”
Technology and human nature both being imperfect, glitches like this are an unfortunate fact of life. The problem is that we increasingly rely on the cloud to store and back up files, including sensitive and private files. And when such accidents occur, whether through technical malfunction or human error, we can’t help but wonder if we’re placing too much faith in these companies to protect our data.
“The situation shows that these kinds of flubs can and do happen even to reliable cloud storage providers,” said Oliver Noble, encryption specialist for file encryption site NordLocker. “Although there haven’t been any responses to the damage this incident caused, it is nonetheless a violation of privacy.
“At first glance, Google Photos seems to offer a great service, letting you automatically back up your photos and keep them in the cloud. However, like any other service, it has a cost – and the price is your privacy. By scanning your photos, Google can identify your face and track your location. It might look like a fair deal, but the recent case shows just how much of your privacy is at stake,” Noble said.
But before you’re tempted to renounce cloud storage altogether, you can better secure your online files. And one way to do that is through zero-knowledge encryption, according to Noble.
“There are two main ways of keeping your files private: storing data in zero-knowledge cloud storage or using a file encryption tool before uploading valuable information to the cloud,” Noble said. “This way, even if your cloud storage gets hacked (or the data gets mixed-up, like in Google’s case), no one else can decrypt your files and get access to the contents.”
Zero-knowledge cloud storage is available from a variety of providers and sites, including Mega, pCloud, Sync.com, Tresorit, and Zoolz. You’ll find other sites simply by running a search on “zero-knowledge cloud storage.”
The other option to use a file encryption tool may be more viable if you don’t want to change your cloud provider. Of course, NordLocker is one program that can encrypt your files before you upload them. Other tools include AES Crypt, AxCrypt, CertainSafe Digital Safety Deposit Box, Folder Lock, and Renee File Protector.
“Google offers great products for free, only asking for your data in return,” Noble added. “As such, it is no surprise that Google Photos doesn’t allow encrypted content. But it’s no longer alone in the game, with many alternatives now offering stronger security.”