The Stack Archive

Google Docs adds access expiry dates – but no security improvements for non-Google invitees

Wed 16 Mar 2016

Google Docs has added useful new functionality that allows users to determine how long invited guests will have access to various types of document available in Google Drive, including Docs, Slides and Sheets.

The announcement, made at the Google Apps blog, addresses a problem which can be a genuine security issue for collaborative workgroups which have invited third-party contractors or other ‘temporary’ guests into sensitive documents which might well later include additional information that was never intended to be shared on a continuing basis outside of the core group.

The (unattributed) post says:

‘imagine your business hires an outside contractor for a project lasting three months. To complete the job, that contractor needs to view a spreadsheet containing the contact information of your employees. Following this launch, you’ll be able to share your employee list in Sheets with the contractor, give them view access only, and set that access to expire when their contract does (in three months). If the contractor attempts to open the spreadsheet after the expiration date has passed, they’ll be denied access.’


It’s a notable feature, and one which I am surprised to find is not available in Microsoft’s Office 365/SharePoint schema; a customer seeking the functionality was advised that although an unaccepted invitation can be set to expire, for example within 7 days of sending, that represents the limit of user control, and ‘once the external users accept the invitation, we cannot withdraw them. The only way to disable their access to the shared file is removing them from the shared users name list.’

Actively removing invited users from shared documents can be politically tricky, and in my experience the only way to avoid the problem is to re-create the document elsewhere, inconveniently, and re-invite the long-termers. Automating the process takes the sting out.

Are you ‘one of us’..?

However, you still need participants to have a Gmail address/Google ID (it’s effectively the same thing) in order to keep a shared document really secure. This is a failing in Google Docs that has needed addressing for a long time – and one which Yahoo remedied last week.

Yahoo Senior Product Manager Assaf Kremer announced at the company’s Tumblr blog last Thursday that it is now possible to create a Yahoo account with any email address, giving users access to Yahoo services without the overhead of an inbox that they don’t want or need:

‘Yesterday, Jack would have had to create a new Yahoo email address just to sign up for Yahoo Sports Tourney Pick’em. That’s not fair to Jack and just doesn’t make sense. He will probably forget the Yahoo email address he created just to play and won’t check his inbox very often, so there’s a good chance Jack will miss important emails about the status of his picks, his pools, etc.’

Yahoo’s current existential straits give the organisation a good reason not to straitjacket or ‘bundle’ its consumers into unwanted channels or email addresses, whereas Google remains a big enough gorilla that it can mandate a Gmail ID if reasonable security is needed on a document. Add a non-Gmail address to the invitees’ list and you’ll be advised: ‘Are you sure? You are sending an invitation to [recipient]. Since there is no Google account associated with this email address, anyone holding this invitation will have access without signing in.’



Google news security Yahoo
Send us a correction about this article Send us a news tip