social network

The leak of Google Docs through “Yandex”: how personal data came into open access and what could be the consequences

Companies confirm the reliability of the documents found, and lawyers doubt who can be considered guilty.

In the evening of July 4 in the issuance of “Yandex” found documents created in the Google Docs service and not sufficiently protected by the privacy settings. In a few hours, while a loophole worked, the search engine found passwords and personal data of users, corporate files and even materials of Moscow officials about raising the turnout at the mayoral election.

On the night of July 5, Yandex closed the opportunity to search Google documents without an announcement. On social networks managed to spread the information, and lawyers dispersed in the interpretation of the law on personal data.

All search engines index data from Google services. But it was through Yandex that they found important information

Google, Yandex, Bing, and other search engines have been indexing public Google Docs files for some time. But if one extended query (for example, “passwords”) Google continued to show “junk” or shell documents, then “Yandex” began to issue documents with password lists to different sites or bank card numbers, it follows from the observation of . Nevertheless, Kaspersky Lab noted that similar news about the detected personal data does not appear for the first time, but periodically.

As in the issuance of “Yandex” were files with personal data and internal corporate documents – is still not fully understood. In the company itself they claim that they acted according to the rules and indexed only those pages that are available when clicking on links without entering a login and password. The affected users complained that there were files available through the link in the issue .

“Yandex” noted that it does not get pages in its output, only if the site administrator has forbidden indexing in the robots.txt file . However, Yandex robots really had the right to scan Google Docs addresses, including those starting with / document . It is not clear how the links got to open sources and they were able to get a Russian search engine.

One of the main assumptions is that Google Docs files were opened through Yandex.Browser or transmitted via Yandex.Mail, and the results were indexed by the search engine. Also, probably, users themselves “lit up” links to documents during discussions in “VKontakte”, in Facebook and other social networks or in open forums. The company did not officially clarify this point.

Protecting data is simple: you just need to change the level of privacy

As you can imagine, some users of Google Docs did not know that files with “link access” remain publicly and unrelatively protected in order to store important data there.

The Google Docs document does not appear in the issue only if the owner of the file has set a certain level of privacy in the settings: for example, with access by invitation. You can also hide his file from others, leaving yourself with a unique access.

To exclude unwanted access to Google documents, you should set "access by invitation"
To exclude unwanted access to Google documents, you should set “access by invitation”

In Google Docs, you can not set one level of privacy for all documents at once. This is done separately for each file. Unless there is a secure service that allows you to scan all files in the personal cloud storage of Google Drive and to establish that while is in the public domain.

In addition, the list of authorities issued to co-owners is important: only reading or editing, downloading and changing access for other users. What happens otherwise, showed the night of July 5, when some turned other people’s public documents Google Docs into chat rooms.

The extradition found internal documents of banks, other companies and officials

Within a few hours of the operation of the loophole, users of social networks distributed not only password lists, but also files similar to internal documents of companies. Far from always resonant information turned out to be socially important: it reached the advertising budgets of companies, contacts of journalists and bloggers, or “a complete list of Jews who changed their surname.” At the same time, some significant episodes became known from the documents.

Employee of “Tinkoff Bank” spoke about discrimination in hiring for work

In Google Docs found a document that describes the ban on hiring “Tinkoff Bank” employees of “sexual minorities”, “representatives of the Negroid race”, those who need to pray during the working day, as well as former employees of the FSB and journalists. First, the press service of the company denied involvement in the document, but later admitted that the author was the employee who created the document “with ambiguous intentions for the bank.” In addition to “additional instruction on values,” he is threatened with disciplinary measures, but what exactly – “Tinkoff” has not yet told.

“Leroy Merlin” began to collect a reaction to the scandal with a PR man

Users of social networks found the table “Leroy Merlin” with comments about the scandal due to the publication of its now-former, PR Galina Panina. She said that the fans allegedly burned a certain girl during the celebration of Russia’s victory over Spain, and did not call them “vatka”. After that, Panin was dismissed from his post.

In social networks , it was suggested that the table could be a proof of the artificial creation of an agiotage, but everything turned out to be more prosaic. “Leroy Merlin” confirmed that this is her internal working document, in which the reaction to the scandal with the PR man was going to. As these data are later used, the company did not explain.

Probably, the “Holguin Trolls” listed arguments in support of Putin

The journalist of the “Echo of Moscow” Alexander Plyuschev published thedocument “Let’s Find the Truth: Russia Under Putin’s Achievement and Anti-Achievement.” The file lists historical events, beginning with the time of Vladimir Putin’s coming to power.

Plyushchev suggested that this is the methodology, common among the “olginsky trolls.” noted that in this way, for the bots listed possible options for the development of the discussion and arguments in the disputes. There is no evidence of reliability of the file.

Officials, presumably, a list of Muscovites, capable of raising the turnout in the mayoral election

Observers found the document “Resource Card PEC” dated June 27, which presumably contains personal data of Moscow voters. The table contains data on the number of people with disabilities who vote at home, and older people who can be circumvented by social workers. The author indicates the head of the Social Security Administration of the Northern Administrative District of Moscow Svetlana Istomina. Activists suggested that in this way the authorities intend to raise the turnout in the Mayor elections in September, “driving the socially dependent people”. The Moscow City Council informed Medusa that it does not know and does not “think anything” about the list of voters who got into open access.

With the publication of detected data in social networks, not everything is clear

Yandex said that it indexed only the “open part of the Internet”. Google notedthat when issuing “Yandex” came only those files Google Docs, which “were intentionally made by their owners public.” Security specialists from Group IB called “negligence” that users did not put the necessary access restriction.

Another question is whether the internal confidential documents Google Docs found in the issuance of Yandex can be freely published in social networks.According to the law , such access to computer information can be considered illegal, because “there was no permission of the legal owner”, explained the lawyer of “Open Law” Julia Fedotova. However, the law can be applied if access caused the destruction, blocking or copying of information. It turns out that users will really be able to make a claim if at least “it will be possible to pull” the disclosure of personal data “to” copying “.”

There is another opinion on the probable consequences. Users who publish documents are not penalized, since they “had a link obtained lawfully in an open source,” expressed his opinion St. Petersburg lawyer, known in Twitter under the pseudonym Sergei D.

Ambiguous situation. My opinion is that the information is obtained in a legal way, and a person is not obliged to properly process personal data. But the one who allowed the possibility of downloading or accessing, can and will be held accountable.

Sergey D.

However, if Google or Yandex recognize the event as a technical failure, then the user will not be able to file any claims, both lawyers noted independently. In such a case, there will not be an offense in the actions of a person.

Back to top button