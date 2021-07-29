



“A security update will be applied to your drive,” reads a strange new email from Google. All of us at Ars Technica’s staff exploded last night. When I visit drive.google.com, I also get the message “September 13, 2021 security updates will be applied to some files.” You can also view a list of affected files. All of these files are getting unspecified “security updates”. So what does this mean?

Google is changing the way content is shared on the drive. Drive files have two sharing options. One person’s allow list (sharing Google Docs with a specific Google account) and the “Get Link” option (anyone who has a link can access the file). The Get Link option works just like a YouTube video that isn’t on the list. It’s not really private, but in theory it’s not completely public because the link needs to be published somewhere. It turns out that secret sharing links are really just security by hiding, and the links are actually guessable.

In addition to Drive, Google is also changing the way private YouTube links work. Also, the YouTube support page details this change more than the drive.

In 2017, we released an update to the system that generates new YouTube private links. This includes security enhancements that make it harder for someone to find if you’re not sharing a private video link.

Google has been aware of the speculative secret link issue for some time and changed the way link generation works in 2017 (perhaps even for drives?). Of course, it doesn’t affect the links you shared in the past, and soon Google will require you to change your old links, which may break them. Google’s new linking scheme adds a “resource key” to the end of shared drive links, making it hard to guess. Therefore, the link that used to look like “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/” is now “https://drive.google.com/file/d/0BxI1YpjkbX0OZ0prTHYyQ1U2djQ/view?” It looks like “resource key”. = 0-OsOHHiQFk1QEw6vIyh8v_w. Using a resource key makes it difficult to guess.

When you access todrive.google.com/drive/update-drive in your browser, you will see a list of affected files, and hover your mouse over them to see a button to delete or apply on the right side. Security update. “Applied” means that the resource key will be required after September 13, 2021 and will (almost) break the old link. “Deleted” means that the resource key is no longer needed and the links there will continue to work.

Google’s “Affected Files” interface. Feel free to add or remove that security update.

YouTube has already gone through this process at the beginning of the month, and all private links prior to 2017 are disabled unless the video owner is still active and opting out on YouTube. However, Drive does this a bit more elaborately than YouTube. Thanks to account-based sharing, anyone who has previously accessed drive links that are not on the list will be allowed access to them, even if they have upgraded their security. However, new users will not be able to access the upgraded old links. Thus, if you have a stable community that uses files that aren’t on the list, you should be able to continue the track in most cases. However, new members are locked out and need to request access. If you don’t want this, the file owner can always press the “Share” button to change the settings and generate a new link or turn the link off altogether.

It’s good not to let a third party create a list of all unlisted files, but don’t confuse this link change with real security. If you really want to keep it private, don’t share anything through YouTube, Drive, or the “Private” or “Get Link” feature of Google Photos. Secret links are just security by hiding and should not be considered safe or undiscoverable, even if Google upgrades. This arrangement is perfectly fine for casual documents, but we always assume that anyone in the world can read “private” files. If that’s okay, it’s okay. However, if this is not the case, use Google’s actual private account-based sharing options.

