While Google Drive is used as a collaborative tool and means of storing and sharing files with other users, many people also use it for personal storage.
This leads to a very important question: what can someone see when you share a folder with them? If you share a folder full of files with a user, can that user then see other folders and files?
The Simple Answer
The most straightforward answer to this question is a basic “No.”
Google Drive sharing permissions are slightly complex, but there’s one thing simple about them: anything you don’t expressly share is set, by default, to be private to just you.
That said, there are a handful of reasons why this might not be the case, mostly revolving around settings you may have changed, permissions you may have granted, or particular types of Drive accounts.
How Sharing Works
To understand why your files are private, all you need to know is how sharing works on Google Drive.
It’s generally pretty simple. Everything in your account, by default, is private to you. Only you, people who have your login and password information, and a very limited selection of Google employees have the ability to see your files.
That means you can see your files (of course) and, ideally, no one else; you shouldn’t share credentials in the first place, and any system that needs your credentials should be using something like oAuth instead. That limited selection of Google employees who could look into your Google Drive is heavily audited and monitored, and frankly, they have no reason to do so outside of circumstances where you’re violating the law or where you’ve filed support tickets and requested it.
If you want someone else to be able to see a specific file, you can share the file. That file can be made visible solely to the one person you share it with or to anyone with a link. This way, you can somewhat limit how visible the file is. Of course, if you give one individual access to the file, they can still download or make a copy of the file, so you would need to restrict that access if you want the file to be completely restricted to your limited access list.
There’s also always the possibility that someone could painstakingly copy the file manually if they wanted, but truly, if you’re worried about someone sharing a file you share with them, you probably shouldn’t share it with them in the first place.
Either way, one thing is true: when you share one specific file with another user, the only thing they can see out of your Google Drive account is that one specific file. They cannot in any way access anything else in the same folder or anything in another folder. Everything else is still restricted to just you for your permission.
The same sort of thing applies to folders of files. You can share a whole folder of files with another user or grant access to anyone with a link. This is very common! For example, you take a bunch of photos on vacation, and you want to share them with your family, so you put them all in a folder and share that folder with them.
Anyone with the link, or anyone given permission to access the folder, can see all of the files in that folder. You can’t hide individual files in that folder but keep the whole folder shared (though there is a goofy workaround), but it’s easy enough to move anything you don’t want to be shared out of the folder first.
And, as I recently discussed here, there’s no way to share everything in a whole Google Drive account, so there will always be a place you can put files that no one can see without your explicit permissions: your root directory.
To sum up, the three sharing modes for files and folders are:
- Restricted. Only you, people with your login information, and specific Google employees can see the file or folder.
- Shared. You can give individual people permission to view the file or folder, but they can only see the file or the folder’s contents and nothing else on your Google Drive. You can also set permissions to restrict their ability to make copies, download, or print the files.
- Anyone with the link. With this, you generate a shareable link, and anyone who clicks the link can see the file or the files in the folder. They cannot see anything else on your Google Drive.
There’s no way for someone who has access to one file to see other files or who has access to one folder to see files or folders not inside that folder.
One exception to the rule is that Shared Drives work differently. Shared Drives are not your Google Drive; they’re a type of network drive that anyone who has access to can see everything in. It’s like credential sharing without credential sharing.
Shared Drives are a feature of Workspace, not of Google Drive for personal users. That is, you’re only generally going to encounter them in a business, corporate, or school environment. In these cases, the shared drives are managed by an admin, who can see and manage everything in them. They have member lists, and everyone who has access to the shared drive can see anything and everything in the drive.
If you’re a member of a shared drive, that does not mean your personal Drive is visible, though.
Anything in the shared drive is visible to other members of the shared drive, but nothing in your personal drive is accessible without you also adding it to the shared drive.
The API Exception
There are a few other exceptions to the rules above. One in particular that is relevant to me is the API exception. Google’s API can show information about files and folders to someone who has been authenticated. That means you, of course, but it also means anyone you give access to via the usual oAuth login.
This is how Filerev works, for example. When you sign up with Filerev, you’re asked to log into your Google account.
Neither my app nor myself ever see your credentials; the oAuth process allows you to log into Google directly, and Google passes on access permission to my app.
From there, Filerev can view all of the files and folders on your Drive. This is required so that it can scan them and help you sort through them by size, age, and other filters. The access also allows for actions like deletions to take place.
This isn’t a bad thing!
If the API couldn’t access your files without explicitly having them shared, then there’d be no way for an app like Filerev to work. Imagine if you had to individually grant Filerev permission to access each file and folder in your Drive, and how much work that would be for both you and me.
Thankfully, the oAuth and API combo allows me to bypass all of that.
I’ll also be clear here: while Filerev can see, sort, and display your files for you, I don’t have that access. I’m not rooting around in your accounts or viewing your files; everything you do is between you and the app. I can only view some limited information, and only with your permission, such as if you’re having a problem with the app and I need to troubleshoot it with you.
The Credential Sharing Exception
Another way that someone could see the contents of your Google Drive is if you give them your login and password information. While this sounds obvious, there are still a surprising number of people who don’t know the difference between something like oAuth and just handing over your username and password.
This is, of course, fully intentional by the people who want to steal your credentials.
Note: Credential sharing – any time you give another user your username and password in plain text – is rarely a good idea. There are many official, more secure ways to share an entire Drive, be it through a Shared Drive, by granting a user access to a top-level folder and putting everything else in it, or another workaround. Don’t share credentials.
The reason credential sharing is so bad is not just because of the access to Drive but because it can access everything.
That user isn’t just able to see your Google Drive; they can see your Gmail, your Google Sites, your GDocs and GSheets and other apps, and anything you have connected to a Google account. Do you know how it seems like every other website out there has the option to log in with Google? Any that you’ve used Google to log in with is now accessible to whoever you gave your credentials to.
More than that, what happens if you use Google Authenticator for your 2FA? They can access those codes or even reset them. What about Google Pay? They probably can’t see your credit card information, but that won’t stop them from using it since they have account access. And, in extreme cases, they can even delete your account on the way out.
It’s a huge hassle and liability, so just don’t do it.
The Hacking Exception
The final exception is, of course, if malicious actors happen to compromise your credentials in some way and gain access to your account.
That’s pretty much the same scenario as the above, except since it happens without your knowledge and with a malicious hacker, they’re going to do as much as they can to exploit and damage your account.
Now, this is pretty rare, especially if you use a solid 2FA system to keep your account secure, change your password regularly, and perform a regular security checkup – but it can still happen.
Phishing isn’t rare, and there are all sorts of sophisticated attacks that can catch even wary users. Be careful out there!
Common Mistakes in Google Drive Sharing
When people share the wrong files or folders or accidentally share things they didn’t mean to share, it’s usually a user mistake, not a security flaw or an issue with Google Drive itself.
The four most common mistakes people make when sharing on Google Drive are:
- You shared a folder containing files that you didn’t mean to share. It’s hard to accidentally share the wrong file, but since folders can contain many other folders, it’s possible to accidentally share a folder that has a file nestled deep inside those sub-folders that you forgot about. Before sharing a folder, it’s best to drill down into each sub-folder and carefully review the contents of everything inside them before you share the parent folder.
- You shared with the wrong person. The solution is to slow down, triple-check the email, and make sure that it’s spelled correctly and that you’re sharing with the right person.
- You used shareable links without restriction. When you generate a link for a file or a folder, it can be accessed by anyone with the link by default. If the link gets into the wrong hands or gets shared on social media, your data may be at risk. To avoid this, you should set access to “anyone with the link” only when necessary. Assume that any files or folders with this setting can and will be seen by strangers on the internet.
- You forgot to unshare files. After a file has served its purpose, you might forget to unshare it. It’s easy to lose track of who has access to what, especially with numerous files and folders. The way to prevent this is to regularly review Google Drive’s “Shared with me” and “Sharing” features to manage file and folder access regularly.
Note: As you can see, most of these are due to forgetfulness, not paying attention, or accidents that were made in a hurry. The best way to avoid these is to slow down, double-check what you’re sharing and who you’re sharing it with, and regularly review who has access to those files and folders.
Revoking Permission to View Files
If you’ve shared files or folders, and over time, you’ve changed your mind about what should be visible or who should have access, you can always change those permissions. Permissions don’t change on their own, so keep this in mind; if you shared a folder with someone years ago and have used the folder for other things since then, anyone who can access the folder can see new things in it if they choose to look through it.
Unfortunately, there’s no good way to see who has access to your various files and folders or see what access levels they all have. Personal Google Drive accounts don’t have that kind of auditing functionality.
Workspace accounts have some overviews in the Admin controls, though.
If you’re dealing with specific files, all you need to do is right-click the file, click Share, and change the level of access back to Restricted. This will remove access to anyone who has it, regardless of whether it’s been shared with individual people or “Anyone with the link.”
If you don’t need the file anymore, you can also simply delete it. No one can view a file they have access to if you’ve deleted it, after all.
The same goes for folders.
If you want to remove sharing access to the folders, click to Share it and then change it to restricted. If you want to restrict sharing to specific files within the folder, move them out of the folder. Or just delete the whole thing.
Finally, if you want to do a complete scan of your whole Google Drive account to see all of your files, how big they are, where they are and when they were last accessed, and more, why not give Filerev a try?
With a safe and secure oAuth login, you can grant the app access to your account to audit your files, allowing you to see and clean up your Drive. You can free up space, optimize your storage, delete duplicates, and more, all with the click of a button. All you need to do is click here to get started.
Leave a Reply