Skip to main content

Google Drive security update: What is it and what do I need to do?

The Google Drive tricolor triangle logo displayed on a laptop screen.
(Image credit: monticello/Shutterstock)

If you're a Google Drive user, you may have received an email in the past couple of days with the subject line "Security update for Drive." Or you may have seen a banner across the top of a Google Drive page stating: "On September 13, 2021, a security update will be applied to some of your files. Learn more."

So what is this change, how does it affect you, and what do you have to do? Google's own support post about the "security update" for Google Drive isn't terribly clear, unfortunately. 

The good news is that you don't need to do much. First of all, "Google Docs, Sheets, Slides, and Forms aren't impacted by this security update," a rather important detail that Google buried in the hidden-answer FAQ section of its support notice.

Second, the "security update" (and we'll get into the reasons for the quotation marks below) has already been applied to your Google Drive files. If that's fine with you, then you don't need to do anything at all. 

We, like Google, recommend that you let the "security update" happen, and we'd like you to read on so that we can explain why. But we realize you're pressed for time, so here's what you may need to do.

How to roll back the Google Drive security update

If you have older shared files on your Google Drive that you're totally cool with anyone seeing, and would like anyone to be able to access in the future without having to bug you for permission, then you may want to remove the Google Drive security update for those specific files.

1. Head over to https://drive.google.com/drive/my-drive. (It's probably best to do this on a desktop or laptop.) You'll see a long list of all your Google Drive files to which this "security update" has been applied.

2. Go through the list (it can be sorted alphabetically, by creation date or by last-modification date) to pick out each file that you don't want the "security update" applied to.

3. Hover your mouse over each of those files and click the link stating "Remove security update" that appears on the right. 

4. A dialogue box will pop up asking you to confirm your choice. Click Remove in the box and move on to the next file.

Once you've done this to all the files you need to, you're done. You can go back and do this again to any file you'd like, or reapply the security update to files from which you had removed it, even after Sept. 13.

Why Google is applying this update to Google Drive

We have to thank Ron Amadeo over at Ars Technica for this next part, because Google doesn't explain it well. 

Basically, Google Drive lets you share files two different ways: with specific Google Drive users whom you designate, and with anyone who has the link.

The first type of file sharing works lets only those specific individuals with whom you've shared the file AND who are logged into their Google accounts see the file. Those individuals will get an email telling them you've shared the file, and will get a link to that file that only they can use.

The second type lets anyone with the link, or URL of the file, access the file whether or not they're signed into Google, or have a Google account at all. It's up to the file owner to decide whether to post that link on a website or on social media to make it truly public, or to give the link to only a few people to keep it semi-private.

The upshot, however, is that anyone can access a file using the second type of link, and anyone can also resend that link to random other people whom the file owner may not know. (There's a third kind of sharing for enterprise Google deployments that restricts one-to-many file sharing to specific company domains.)

A long string of gibberish that's meant to be hard to guess

In all cases, the link to the Google Drive file is something that looks like: 

https://drive.google.com/file/d/OUejYjuQOAc_9wk5aGLdi5v9Tqu_QXhlR/view?usp=sharing

(Not a real file link.) 

Now, this second kind of file isn't really protected. All you need is the sharing-link URL to access it. But Google uses that long string of alphanumeric gobbledygook above to make the URL completely random so that no one can set up a computer script to brute-force or guess the URLs and access shared files en masse.

That's an example of what experts call "security by obscurity." It's not hard to access the file — it's just hard to find the file.

Well, that level of obscurity no longer seems to be good enough. (Amadeo points to a 2020 blog post detailing the risks of shared-file links in general, but the post doesn't specifically explain how Google Drive links are risky.)

What Google is doing with this "security update" is not updating the security, but just making the publicly shared files even harder to find. It's adding another string of 24 random characters called a "resource key" to the end of existing shared links. 

The fake example above will then look like this: 

https://drive.google.com/file/d/OUejYjuQOAc_9wk5aGLdi5v9Tqu_QXhlR/view?usp=sharing&resourcekey=p4x5BkgU-qE5JtHIaFrT_eXJ

Why Google is doing this, we don't quite yet know. Perhaps Google Drive links are indeed guessable in some way. 

Perhaps computers have advanced to the point where they can crack a random string of 28 to 33 characters. (Some newer links in our Google Drive folder have 49 random characters, plus the 24-character resource key.) 

Perhaps there are just too many Google Drive file links floating around in public that were meant to be semi-private.

What this means for your and your Google Drive files

But in any case, the addition of the resource key is establishing a "time wall" that goes up Sept. 13. 

After that date, anyone who stumbles across an old link, without the resource key, to an old Google Drive shared-with-anyone file and then tries to access the file for the first time will be blocked. No go.

Instead, those first-time accessors will have to request access from the file owner to view the file, and the file owner can send them a new link with the resource key attached — kind of the same way that truly private files are shared between Google Drive users.

In Google's own words: "You'll need to send collaborators the new, updated link that includes the resource key for your files, so they can gain access once the security update is applied. Do not remove the resourcekey parameter when passing the link to others."

This new update isn't really making these files private, however. Anyone who has already accessed a "shared-with-anyone" file before Sept. 13 will still be able to access it after Sept. 13. Only new people trying to access it for the first time after Sept. 13 will need to request access.

Meanwhile, shared-with-anyone file links created after Sept. 13 will make those files accessible to anyone who has the link, because the new links under this new format will include the resource key. 

Google is just drawing a big fat red line between shared-file links created before Sept. 13, and shared-file links created after that date. We have a feeling it won't be the last time.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.