30

Assume the following:

  • I am doing all my work, including the one with sensitive information on Google Docs. No documents are stored on local hard drive.
  • I am not using the Google Drive App, just doing everything via web interface
  • I am using incognito mode all the time.
  • There is no one "looking over my shoulder", or manages to install any keylogger kind of software

So, my question is, can FBI or government agencies still be able to get hold of my files stored on Google Docs by confiscating my laptop?

What I am asking is can my laptop still give me away if I use online cloud storage? We all know that even if I delete a Microsoft Word file even from Recycle Bin, there are chances that the file can still be retrieved as long as the investigators have the hard disk.

Note that this question is very different from this one here, because we are not talking about accessing the deleted data from HDD per se, but rather, accessing the data that is stored purely on the cloud and only exists temporarily on web browser

Graviton
  • 905
  • 4
  • 12
  • 26
  • 9
    are you concerned that once your laptop is confiscated, the gov't agency would subpoena Google for your accounts? – schroeder Aug 11 '15 at 04:04
  • @schroeder, if the government agency subpoena Google, then my data wouldn't be safe, am I right? No, I don't worry that the government agency will do that – Graviton Aug 11 '15 at 04:11
  • Well... looks like you wanna hide your files in a safe place. – NathanWay Aug 11 '15 at 04:27
  • 3
    If I were you and you want only to store the files in a really safe place like Google Drive, Something I would do is to encrypt the files with a Asymetric Encryptation, Generate a public and private key. You upload the files and then you delete them from your computer... Whenever you need the file you will need to use your private key. Thats all I can say I've never hide anything in Google Drive – NathanWay Aug 11 '15 at 04:29
  • 39
    If the government agency subpoenas Google, then they have your documents – schroeder Aug 11 '15 at 04:37
  • @NathanWay, won't the enforcement agencies get my private key when they confiscate my computer? – Graviton Aug 11 '15 at 04:46
  • 4
    That's up to you... Where you store the private key. There a lot of alternatives instead of your computer... – NathanWay Aug 11 '15 at 06:17
  • 4
    If you are trying to hide your files from government, you probably should ask the question in Crime.SE. – ave Aug 11 '15 at 08:19
  • @Graviton the private key should itself be protected by a passphrase. I can't remember whether passphrases are protected under the Fifth Amendment though. – pjc50 Aug 11 '15 at 10:59
  • 1
    Is it even wise to state on a publicly available website that you **have** files that the FBI is interested in, that you fear your laptop is seized, and that you are in need of plausably denying a presumably illegal activity? I mean, hey, I secure my stuff too, but there's a difference between liking your privacy and expecting the FBI to bash down your door the next moment. That's only reasonable if you really do have something considerably illegal. – Damon Aug 11 '15 at 12:23
  • 3
    @ardaozkal Funny. I actually went looking to see if there really was a Crime.SE... – Michael Aug 11 '15 at 19:01
  • possible duplicate of [Is it possible to recover securely deleted data from H.D.D using the forensics?](http://security.stackexchange.com/questions/53253/is-it-possible-to-recover-securely-deleted-data-from-h-d-d-using-the-forensics) –  Aug 12 '15 at 09:25
  • @schroeder, They have your *encrypted* bytes ;) – Pacerier Nov 11 '15 at 00:34

5 Answers5

54

When you store data on Google Docs, as you may already know, it is not encrypted at all. I read that everything you upload to Google Docs and similar services are not only yours anymore because you agree Google to own them too. This means, at first glance, Google has already access to your files since Google confesses that by itself:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content.

Also, I am not American but from my understanding of the NSL, the FBI can access your data on Google Docs without even warning you.

In your case, I'd rather prefer to encrypt the data before storing it on Google Docs after choosing a strong algorithm and you found a secure way to protect your private key.


Update:

More than 24 hours after the question was asked, a user modified the title of the question giving it an other meaning than the original one:

enter image description here

First time I answered your question, you were online around fourty minutes while my answer was the only one available. You answered only to two comments of @schroeder but nothing else even after you received different answers dealing with different aspects of your question. Even one of your 2 comments was too confusing because you said a thing and its opposite:

if the government agency subpoena Google, then my data wouldn't be safe, am I right? No, I don't worry that the government agency will do that –

You did not react to accept it or comment it to ask something. After few users said that your question's title is not the same as its content, I asked you clarification via a comment I deleted (because it is too chatty already) but you did not react either. Following your silence to different answers and comments and your refusal to clear the ambiguity of your question, I need to update my answer by focusing on an other side you may wanted to ask, for further readers as the posts here are intended to last.

I had to focus on your question's title because good answers to so many questions as yours already exist here:

  1. Is it possible to recover securely deleted data from a hard drive using forensics?
  2. How to recover securely deleted data
  3. How does forensic software detect deleted files
  4. Is data-remanence a concern in RAM?
  5. How can I reliably erase all information on a hard drive?
  6. Prove that you deleted the file
  7. Ensure data doesn't linger after being deleted
  8. I'm leaving my job and want to erase as many personal details etc. as possible; any tips?
  9. Overwriting hard drive to securely delete a file?
  10. Secure file deletion vs wiping free space

And the list of similar questions with good answers is still so long on this website. This is just a short list I picked myself. And we all know that when you delete a file from Windows' Recycle bin (trash), it becomes invisible to your operating system only because the file allocation table does not point to it anymore, otherwise the file exist somewhere in your hard drives and you can get it back (if the OS did not override it especially if it has been a long age since you deleted it)

There is also a point I want to add to those answers about the possibility to FBI to recover your data. It is the easiest way but the answers I read elsewhere here forget it frequently:

  • The easiest way for them is to use the Restore System feature of Windows. That way they could, by chance, get back your browsing history, cookies and even your secret files that you uploaded to Google Docs. By chance, I mean all depends -for the files, for instance- on the restore point you set. This is the easiest way.

Also, other answers to your question mentioned that your coockies, browsing history and browser's cache are a way for the FBI to get your data. That is true even in the case you cleared these elements from your browser because all what the FBI needs is to find where your browser stores its cache:

P.S.

If the FBI is interested to check your browsing history (supposed you hid some of your data on your secret Wordpress blog, for example), they can find where you surfed (your blog) by checking your DNS because your computer uses DNS servers to resolve hostnames to IP addresses, such queries are temporarily stored in your DNS cache. When you clear your browser history, your DNS cache is not touched. You can try this command yourself: ipconfig /displaydns to display the contents of the DNS resolver cache. Do not forget also that the FBI can check your router logs (even if in most routers this functionality is deactivated by default). This can be useful for them in case you downloaded some data you are not allowed to access, or in case you stored your secret data elsewhere before you upload it to Google Docs, or simply they can find a proof you used Google Docs. One thing to mention also: your browsing history still can be detected in case your ISP, the government, or whoever else decides to cache your list of browsed sites. Finally, some files of your operating system such as Index.dat (hidden file) contain all of the Web sites that you have ever visited. Every URL and every Web page is listed there.

  • 42
    Let's not forget that google syncs its servers all the time, sending the docs to servers across the U.S. border and making it possible for the NSA to intercept them. No subpoenas needed... – BadSkillz Aug 11 '15 at 07:24
  • 1
    @begueradj hmm, makes sense BUT: "So, my question is, can FBI or government agencies-- still able to get hold of my files stored on Google Docs by confiscating my laptop? What I am asking is can my laptop still give me away if I use online cloud storage? We all know that even if I delete a Microsoft Word file even from Recycle Bin, there are chances that the file can still be retrieved as long as the investigators have the hard disk." – ave Aug 11 '15 at 08:35
  • 4
    regarding private keys: https://xkcd.com/538/ – njzk2 Aug 11 '15 at 13:49
  • 1
    Normally, the FBI would need a search warrant, but, yes, they absolutely can subpoena Google to get your files there regardless of whether they have your laptop or not and, yes, there are a few instances where they might do it without a search warrant (i.e. if you're suspected of terrorism, especially if you're not a U.S. citizen.) – reirab Aug 11 '15 at 14:13
  • 3
    Though apparently, RE: NSA intercepts, Google (supposedly) has decided to encrypt *all* traffic, thank you Edward Snowden. – Wayne Werner Aug 11 '15 at 16:14
  • And to **start** to reply to the original question, don't forget to feed the shredder with all your swap space, all your I/O buffers and all your temporary files space (which on most OSes is all your free filesystem). – dan Aug 11 '15 at 23:42
  • @njzk2 Ah, good ol' rubber hose cryptoanalysis https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis – Absalón Valdés Aug 12 '15 at 02:30
  • @BadSkillz That data is encrypted in transit: http://arstechnica.com/information-technology/2013/11/googlers-say-f-you-to-nsa-company-encrypts-internal-network/ – Ajedi32 Aug 12 '15 at 13:34
  • @absalon.valdes I've started calling it "$5 wrench cryptanalysis" ;-) – Ajedi32 Aug 12 '15 at 13:37
  • @Begueradj, Hi, why is your rep at 1? Why was your account banned? – Pacerier Nov 11 '15 at 00:36
37

As pointed out by begueradj, any government agencies can access your cloud-stored files through a subpoena to Google. But your question was what they can do when they have your laptop alone and nothing else. This is not an unlikely scenario. It is the situation you have, for example, when you get arrested by law enforcement and they do not have sufficient evidence to hold you or your property for longer than a few hours.

  • When you still have a valid login cookie for google docs in your browser, they can copy it to impersonate you or simply log into your account by opening it in your browser.
  • When your browser saves passwords without requiring a master password, they can extract your password from the browsers password storage.
  • When either of the previous points applies to your webmail account, they can request a password reset for your Google Docs account.
  • It's even easier when you use an email client which doesn't ask you for your username and password when fetching your mail.
  • Your browser might still have cached parts of the documents in the browser cache from the last time you accessed them.
  • If it doesn't, those deleted cache files might be restored using a data recovery program if they are lucky.

Any of these problems can be mitigated by using a full-disc encryption software... as long as the laptop is switched off when they confiscate it... and you are in a jurisdiction where you can't be forced to reveal the password... and the people who detain you care about your right to not reveal it.

Philipp
  • 48,867
  • 8
  • 127
  • 157
  • 8
    This is a better answer as it directly answers the question. – Aaron Hall Aug 11 '15 at 17:37
  • You might add that your OS may also have cached parts of the documents, and a lot of blocks all over the disk of previous versions of all documents which were once written on disk. – dan Aug 11 '15 at 23:32
  • @danielAzuelos A fresh view of your mailbox would be required to access a recently requested password reset request though, which is what the answer is addressing. – Ajedi32 Aug 12 '15 at 13:36
  • @Philipp, Nice, what are some recommendations for full-disc encryption software? – Pacerier Nov 11 '15 at 00:39
  • @Pacerier For software recommendations, please visit https://softwarerecs.stackexchange.com – Philipp Nov 11 '15 at 08:07
  • @Philipp, I mean the ones you personally have used before and recommend. – Pacerier Nov 12 '15 at 02:22
6

In addition to the answers discussing cloud access, or the good answer from phillip,

google docs is going to leave lots of traces in temp files/swap etc where the documents could be easily retrieved.

By common practice/configuration virtually all browsers are going to leave temp files behind for every page viewed. In addition to the temp/cache files that users may be aware of, additional temp files are used and deleted automatically by the browser, but those would be accessible to forensic investigators.

To compound the issue, the browser is certainly keeping the document in RAM (in order to be able to display it to you) and RAM is regularly put into disk as part of memory swapping of almost every OS. That data is also easily available for forensic investigators.

Finally on a laptop hibernate/sleep mode will also dump a copy of RAM to disk.

As others have said, full disc encryption, and make sure the laptop is off when they get it, are the answer. Using the tails OS is also a good mitigation for these problems (when configured to not allow any local storage)

However, if you are a person "of concern" to anyone with the resources to jump through these hoops, having the data in the cloud to begin with is a much greater liability.

If you must put it in the cloud for distribution purposes, encrypt it locally with strong encryption and upload it for others to be able to fetch.

Yes that is much more inconvenient, but if you are actually worried about the security of this information, it is virtually mandatory.

Jason Coyne
  • 1,583
  • 2
  • 10
  • 10
  • 6
    "google docs is going to leave lots of traces in temp files/swap etc" [citation needed]. Do you have any evidence to suggest that the files touch the hard drive at all? – schroeder Aug 11 '15 at 18:34
  • 3
    "Do you have any evidence to suggest that the files touch the hard drive at all?" Why would all browsers have tools to clear cache if they haven't save anything in cache (which is stored on hard drive)? – el.pescado - нет войне Aug 11 '15 at 18:59
  • 1
    Depending on browser and configuration, it will leave various temp files by just loading the page. This is not google docs specific. Even if that is not an issue, its in RAM, and RAM is written to swap by the OS all the time. Not to mention hibernation files, etc. If this is your local fuzz, they probably won't get it. If the FBI is after you because you are snowden, or dread pirate roberts, or a terrorist, they can and will. – Jason Coyne Aug 11 '15 at 18:59
  • This isn't particularly `Google Docs` which will fill the disk with freed blocks. This is the standard behaviour of any OS. Before uploading any file you have to make it on your PC, with Word, Pages, `vi` whatever. The traces start there. There are a lot. Sometimes too many to a point its a nightmare to recover the right last interesting one. – dan Aug 11 '15 at 23:37
  • I would add that when working with Google Docs Graviton might be using it from some other computers. Hence he (or she or it), will have to feed to the shredder all the free space and temporary files used on these computers to avoid to leave any trace. – dan Aug 12 '15 at 00:09
  • 1
    @danielAzuelos you can create docs directly in Google Drive – schroeder Aug 12 '15 at 04:49
  • @JasonCoyne Can you include the details in your comment into the Answer, itself? – schroeder Aug 12 '15 at 04:59
  • @schroeder I have expanded my answer. – Jason Coyne Aug 12 '15 at 15:00
4

Others have commented that if they capture your session cookie they can simply access your documents, and otherwise they can obtain a warrant to get your documents from Google. There is a minor twist to the second point: they need to know your user ID. Without this, they cannot serve a meaningful warrant to Google, and finding some incriminating document among the billions of legitimate documents would be difficult.

If they capture your laptop when it is turned on, they will more than likely get your session cookie, and it's hard to stop this. But if your laptop is off, and there's no trace of your user ID anywhere (which would require care on your part), then in practice it would be very difficult for them to access your documents.

You'd also have to hide any likely routes to trace your account. Say they arrest you in Joe's Cyber Cafe. They could ask Google to show what accounts were accessed from the IP address of Joe's Cyber Cafe. You can stop this by masking your IP address, perhaps using Tor. Another concern is if they could figure out a search string, which would match your document.

Ultimately, while this approach has some potential merit, the more common approach of encrypting everything seems to be a better idea.

paj28
  • 32,736
  • 8
  • 92
  • 130
  • 1
    Good answer - I was going to answer along similar lines. Note that if Google Chrome is being used, [cookies are encrypted](http://security.stackexchange.com/a/93687/8340) so the session is safe even if captured when on, if it is locked. – SilverlightFox Aug 12 '15 at 15:06
2

It's really a bad idea to store sensitive information in the internet, especially in Google products. If you are concerned about FBI I suggest to delete everything and read a lot about how to keep your files safe. If you need thease files in internet for some reason, at least use PGP encryption for the files. Also use encryption for your hard drive with strong and long password. If you are using Windows, don't use the build-in encryption.

Kasmetski
  • 139
  • 3
  • 4
    "If you are concerned about Internet threats, disconnect from the Internet and turn your computer off" ... to paraphrase the actual text from an AV program I once uninstalled. – Michael Aug 11 '15 at 19:06
  • @Michael, What if someone is concerned about having no Internet access **more than** he is concerned about Internet threats? – Pacerier Nov 11 '15 at 00:43