About Google Drive's "A security update will be applied to some of your files" message
If you have opened the Google Drive website on the Internet, you may have noticed a notification at the top of the page that informs you about a new security update that will be, or has been, applied to some files on Google Drive. You may have also been informed via email about the upcoming changes.
The update is applied automatically to FamilyLink accounts according to Google; a notification is not provided for the account type.
The message reveals that the security update will be applied on September 13, 2021 to "some files". The "see files" link displays all affected files in a table. It lists the filename, last modification date, whether the security update has been applied, and an option to remove the update.
The files are shown for 30 days only, after which they are no longer displayed. Folders are not displayed at all in the table.
Google added advanced search parameters to list the files and folders:
- List all impacted files on Google Drive: is:security_update_applied
- List all impacted folders on Google Drive: is:security_update_applied type:folder
The update can be removed from files only according to Google. Just select the "remove security update" button when hovering over a line and interact with the prompt that opens to remove the update. Similarly, you may apply security updates again by selecting that option (which is only displayed for files that are impacted but without the update).
Google notes that some file types, Google Docs, Sheets, Slides and Forms, are not impacted by the security update.
The linked support page reveals details on the security update. According to Google, the change affects shared files and folders on Google Drive only. The security update adds a resource key to the links.
Google Drive supports two types of sharing. Customers may share links with other Google users or they may generate share links. The first option restricts access to the selected accounts, the second option allows anyone to access the files, provided that they have the link that points to them. Shared links that are accessible by anyone are protected through obfuscation only. If the link gets leaked on the Internet or is guessed, files can be accessed. Guessing may be more or less difficult, depending on the method used to generate the "random" part of the link.
New links on Google Drive use the resource key parameter to decrease the chance of discovering publicly shared links on Google Drive.
A new share URL looks like this: https://drive.google.com/file/d/0B2WS17qmp9--TGJZdVBjUGEyeFk/view?usp=sharing&resourcekey=0-PTJvLuPSW18qiCvIGgbL8Q
Previously, share URLs looked like this:
https://drive.google.com/file/d/0B2WS17qmp9--TGJZdVBjUGEyeFk/
Google notes that shared files remain accessible to users who opened these files in the past. Users who have not done so may need to request access again, as access may be denied in that case.
YouTube as well
Google made a similar change on its YouTube video service that affects unlisted videos. Unlisted videos are publicly available and use a similar obfuscation technology to prevent guessing of video links.
All unlisted videos on YouTube that were uploaded before January 1, 2017, were set to private by Google unless content creators opted out of the change. Videos uploaded after January 1, 2017 are not affected because the sharing method was changed on YouTube at the time.
Closing Words
Files shared publicly using Google Drive should still be considered publicly accessible, as they are still only obfuscated through the link. The new resourcekey parameter makes it much more difficult to guess links though.
Now You: how do you share files?
