Here’s what that Google Drive “security update” message means – Ars Technica

Here’s what that Google Drive “security update” message means

“A security update will be applied to Drive,” Google’s weird new email reads. A whole bunch of us on the Ars Technica staff got blasted with this last night. If you visit drive.google.com, you’ll also see a message saying, “On September 13, 2021, a security update will be applied to some of your files.” You can even see a list of the affected files, which have all gotten an unspecified “security update.” So what is this all about?

Google is changing the way content sharing works on Drive. Drive files have two sharing options: a single-person allow list (where you share a Google Doc with specific Google accounts) and a “get link” option (where anyone with the link can access the file). The “get link” option works the same way as unlisted YouTube videos—it’s not really private but, theoretically, not quite public, either, since the link needs to be publicized somewhere. The secret sharing links are really just security through obscurity, and it turns out the links are actually guessable.

Along with Drive, Google is also changing the way unlisted YouTube links work, and the YouTube support page actually describes this change better than Drive does:

In 2017, we rolled out an update to the system that generates new YouTube Unlisted links, which included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them.

Google knew about the problem of guessable secret links for a while and changed the way link generation works back in 2017 (presumably for Drive, too?). Of course, that doesn’t affect links you’ve shared in the past, and soon Google is going to require your old links to change, which can break them. Google’s new link scheme adds a “resourcekey” to the end of any shared Drive links, making them harder to guess. So a link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” will now look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?resourcekey=0-OsOHHiQFk1QEw6vIyh8v_w.” The resource key makes it harder to guess.

If you head to drive.google.com/drive/update-drives in a browser, you should be able to see a list of your impacted files, and if you mouse over them you’ll see a button on the right to remove or apply the security update. “Applied” means the resourcekey will be required after September 13, 2021, and will (mostly) break the old link, while “removed” means the resourcekey isn’t required and any links out there should keep working.

Google's "impacted files" interface. Feel free to add or remove that security update.

Google’s “impacted files” interface. Feel free to add or remove that security update.

YouTube already went through this process earlier in the month, with all unlisted links before 2017 going dead, unless the owners of the videos are still active on YouTube and opted out. Drive is doing this with a bit more finesse than YouTube, though. Thanks to account-based sharing, anyone who accessed your unlisted Drive links in the past will still be granted access to them, even if you upgrade the security. No new people will be able to access the old, upgraded link, though. This way, if you have a stable community that uses an unlisted file, it should mostly be able to keep on trucking. Any new members, however, will be locked out and will need to request access. If you don’t want this, at any point the owner of the file can hit the “share” button and change the settings to generate a new link or turn off the link altogether.

Not letting third parties create a list of all your unlisted files is a good thing, but don’t confuse this link change with any actual security. You should never share anything over the “unlisted” or “get link” features on YouTube, Drive, or Google Photos if you actually want it to be private. Secret links are just security through obscurity, and even with Google’s upgrades, they should not be considered secure or undiscoverable. This arrangement is totally fine for casual documents, but always assume that anyone in the world can read an “unlisted” file. If you’re OK with that, fine. But if not, use Google’s actually private account-based sharing options.