Google Vault. It’s a Cyber Security issue no one is talking about. Is your company email, Gmail? Have they upgraded to include Google Vault? Well, You probably won’t know if they have…but if email privacy matters to you, you’re gonna wanna find out.
Here’s why: With Google Vault . . .
Everything you type into Gmail – even Drafts can be saved. When I say “Drafts” I’m not just referring to the ones you saved to your Drafts Folder. Every iteration becomes a “draft’ or variant of that email and is saved to the Google Vault. To be clear, its not just the email you click send on. It’s everything you type to get to the click. Typos, rethinks, anger, errors. All of it. Every single keystroke.
Who can see? Every Google Vault has at least one Administrator, and it can be a number of people: Your boss, the IT guy or another peer in the company. Essentially the Administrator has access and can search the Vault.
Digital Privacy: My Google Vault Story
Like millions of businesses, we use Gmail. It’s best in class, with great encryption and spam filtering and search. When it comes to technology and privacy, Google has advanced and secure Cloud infrastructure.
Our IT guy a few months ago suggested we upgrade to Google Vault so that we could archive old emails indefinitely – as a business owner, I value the ability to save company data and communications. Lots of archiving systems can do that…
But Google Vault doesn’t just save emails, chats, Hangouts, files (PDF, DOCX and JPG, Microsoft Word, Excel, Powerpoint) Google Earth and connected Gmail products…Recently, I accidentally discovered that with Gmail and the Google Vault turned on – virtually everything an employee had typed, every iteration was saved – sometimes as many as 50 versions of one email!
A Peek Inside Your Not-So-Private Email
Let me show you a stunning screenshot of what I see when I search topic or name in Google Vault:
It looks worse then it sounds.
Being a bit of a privacy fanatic, I was compelled to demonstrate the inner workings of the Google Vault to my employees so we created a video demo. We watched as keystrokes were typed while on or connected to the Gmail server were “vaulted”. It was very unsettling to see that even when a “draft” was deleted from an employee’s draft folder, every word, mistake etc. stayed in the Google Vault. Each iteration became a time-stamped “draft.” Working very much like a keystroke logger.
Google puts it this way: “Messages are available in the vault as soon as they are received by Gmail.”
If you’re getting a bit nervous here, I’ve included some helpful work-a-rounds at the end of this article, but stay with me for a moment. If you want to see HOW EMPLOYEES REACT TO SEEING THEIR GOOGLE VAULT Click HERE
Google Vault is part of what used to be called Google Apps, changed to G-Suite back in September 2016. It’s collection of all Google’s powerful business tools and includes Gmail, Docs, Drive Sheets and Calendar. G-suite is a Cloud based enterprise that Google touts as an “All-in-one suite to communicate, store and create.” The Vault and can be added to Google’s basic Gmail for $5.00 per user per month or it’s included in G-suite for $10 per user per month
Who Loves Google Vault?
For one – Employers. It’s great for finding and retrieving valuable company information and data, even from closed accounts. The things hidden in drafts can be very revealing.
Who else loves it? Lawyers. Everything in the Vault may be “discoverable” – meaning it could be subpoenaed in a lawsuit or criminal investigation. It’s called e-discovery, the process of seeking and finding information in electronic format, in response to legal matters and investigations. Note that many archival systems can and do save company communication for the purpose of litigation. Vault makes this super easy as it uses Google-patented search to access data in email and attachments(!) including Word .docs power point, attached PDF’s, Hangouts, chats etc. and . . . everything typed onto a company mail that’s connected to the Gmail server.
This is the part that really concerns me: The words you type into Gmail are saved—the thoughts your wrote and then deleted or wrote over—those are saved and may be discoverable. Now, truthfully, it would be a rare occurence for drafts in the Vault to be subject to search, but not beyond the realm of possibility if circumstances were compelling. If they were discoverable would someone be guilty or complicit by virtue of their thoughts?? I don’t know, but I like to think my thoughts are just…well, mine, and subject to change.
UHH, But for How Long?
Incredibly, employers or administrators can set the time period for data to be retained up to 36,500 days! That’s 100 years.
When an employee leaves, an employer can choose to delete the account or “suspend” it. If the account is suspended, the data REMAINS in the Vault, long after you’ve left that particular workplace.
What do Privacy Experts Say?
If the very idea of an employer being able to look at your email seems not right to you, listen to this. I contacted Paul Stephens Director of Policy and Advocacy at The Privacy Rights Clearinghouse. He viewed Safertech’s Google Vault Video and though he was not aware of the detail of the Vaults functionality he offered this reminder:
“Almost anything an employee does on an office computer can be monitored. Courts often have found that when employees are using an employer’s equipment, their expectation of privacy is limited.”
I also reached out to a woman highly respected in the world of Cyber Security, Dr. Dena Haritos Tsamitis, Director, Information Networking Institute at Carnegie Mellon University for her input and perspective:
“In the past decade, rapid advances in workplace technology have often come at the expense of privacy and security. On one hand, we have enterprise-level software and applications like Google Vault offering incredible opportunities for collaboration and communication. On the other, we have the threat of compromising the privacy of employees.The balance lies in an organization’s commitment to understand how these tools work and educate its employees on safe and secure practices.”
Excellent advice, Dr. Tsamitis. Of course, my entire team is now well aware of our utilization of and the privacy implications of Google Vault.
To Be Honest
As an employer, TBH, I’m not stoked about seeing or saving drafts. Honestly, looking at a draft that wasn’t sent makes me uncomfortable. It’s creepy. I feel like I’m spying and looking at thoughts and words that we’re not meant to be shared. I realize I can choose not to search drafts and I intend to exercise that option—now that I’m done experimenting and researching for this article.
Digital Technology, Cyber Security, the Cloud and Privacy
If Cloud-based Google Vault has the ability to save every Gmail written on its live server, that probably means that anyone writing in Gmail should assume that all words are saved-and/or could be stored and accessed. The same holds true for most if not all files stored in the Cloud. More then ever, we should be very mindful of everything we do and put online. As I said in the Safertech.com Cookie Video, when it comes to ALL your internet moves, Privacy is Absolutely NOT Guaranteed. Practice mindfulness when on-line.
In This Connected World: Writer Beware.
Remember, if you use Gmail at work, you may have no idea if your employer uses Vault on their end. So, first things first – ask! Ask HR, ask the IT guy. We’re not sure what your employer is obliged to tell you -but it doesn’t hurt to ask.
I contacted Google about eliminating the option to save drafts. A customer service representative of Gmail verified that there is no option to “not save” drafts at this point, but did offer me the opportunity to suggest the change to developers. So I submitted the idea to Google as they directed through the Features program.
THE Privacy FIX
If your work email is served by Google and you suspect Vault is enabled, and you’re concerned about privacy and cyber security, there are a couple of ways to limit what’s being recorded:
Option 1. Disable Drafts in “MAIL” If you’re using a mail “client” like the Mail program on Macs or Outlook on PC’s, you can choose to disable store draft messages on the server IF you use IMAP so you are not typing directly into the Gmail’s digital net. Take a look:
Option 2: IF you have an older version of Microsoft Office you’re Golden. It used to be the apps were never connected to the internet. Type into TextEdit or Word. Compose to your delight in those apps, cut and paste directly into your Gmail or Mail Client. This option works only on Non-cloud based. You can do this with the new versions, but you run the potential of the version being saved on Microsoft servers, depending on your settings.
Option 3: Disable Internet connection: You Compose, delete, type over and write anything you want and then, when that draft is in final form, you can reconnect to the internet and send or save just the final draft on the server.
Prior to disconnecting from internet, you can open Gmail. Then, disable internet and Gmail allows you to “compose” as many different emails as you’d like. Each time you click “COMPOSE” a new window pops up. You can also compose in a mail client or use Word or Stickies or text edit and then cut and paste to Gmail or your mail Client.
Love this idea because you are also using your device free from WIFI! Note, anytime you use airplane mode you are not connected to the internet, or WIFI or Bluetooth or Web browser, so there’s no way to be typing directly on to a server. Bonus for your healthy lifestyle: There’s no cell phone radiation, WIFI radiation or Bluetooth radiation either.
And finally, if you are concerned about Cyber Security, be sure to check out CreepBlockers webcam covers.
Stay safe out there-