Google calendar is a popular app for people who want to take control of their lives by keeping a close tab on their timelines so that they can make the best use of time. Also, sharing your Google calendar with others will allow you to plan events, set up meetings, and perform tasks smoothly without any stress.
It will perform some of the tasks of a personal assistant by reminding you of events on time so that you get the time to prepare for attending it punctually. Google Calendar makes your life easy by taking care of the complexities of some apparent simple tasks which are not so simple when you try to do it manually. For example, setting up a meeting with Calendly’s Google Calendar tips is a breeze that would otherwise be a tremendously stressful and challenging task.
But along with the convenience comes some problems from sharing calendars. The problem was detected a few years ago and brought to Google’s notice by some users who started receiving malicious invites from those with whom they shared it with others. It took about two years for Google to take steps to fix the issue in 2019. Meanwhile, another serious issue has cropped up that could nearly expose the calendar data to the world. Although this is prima facie a privacy issue, it can have far-reaching security implications down the line.
What is the privacy issue with Google calendar?
According to calendly.com, google calendar has been in use for many years, and Google has always worked to include new features and improve security to assure users about its safe use despite sharing it with many others. While trying to improve user experience, Google considers user feedback seriously to eradicate problems reported by them depending on the level of threat as it happened with the issue of malicious invites on which Google has started working and hopefully resolve it.
Now comes the problem detected more recently, which can compromise users’ privacy as their calendar can become public without their knowledge. While this can be a highly embarrassing situation to see your events information falling into the wrong hands, according to experts, the problem lies deeper within the configuration of the app, which is much different from the common issues of vulnerability and bugs.
Google calendar settings allow users to make calendars public but only for specific people with whom users want to share it. Sharing it with varying levels of permission about the extent of its use is an important feature of Google calendar. The problem that we are talking about arises from misconfigured settings, which is much more severe than other vulnerabilities.
The threat
While users can configure the calendar settings for sharing it with specified persons which amount to making it public, the action does not allow users to stay in control about who views their events, despite choosing the settings accordingly. And this is where the threat lies. Users might feel that they have done enough to maintain privacy with settings for controlled sharing of the calendar events. The fact is that anyone can view any public calendar by making a Google search query without the need of having a link shared with them.
Modality of Google calendar sharing
Usually, Google calendar users share calendars for the ease of sharing event reminders, organizing meetings, and the like. The benefit of sharing is that the events keep updating in real-time, and everyone in the loop stays aware of it. After it becomes public, other people can view it.
Sharing options are many, and one can share private as well as shared calendars. They are editable but on computers only and not on mobile devices, and there is an option of ‘make available to the public’ among the list of access permissions. Although there is an option of hiding the details of the events by using the option ‘see only free/busy,’ this would defeat the purpose of sharing events, which makes no sense for the recipients if they cannot see the details.
Unchecking the ‘make it box’ can publicly stop sharing the calendar, but it can take up to 4 hours for the change to apply. Most importantly, when you make a calendar public, it becomes the default setting for all new events that you add to it unless you change the privacy settings for that event.
How comes the privacy problem?
The privacy problem stems from the fact that it does not always require a link to access the calendar events. It means that anyone, even without the link, can access the calendar events by just searching Google. This can be a big threat to companies because if the settings allow users to edit events, an error committed by anyone employee can result in leakage of company information.
Risk mitigation – what is the way
It is clear that all event information is accessible to anyone beyond the specified people in the sharing list. To prevent it, you must apply a universal, organization-wide setting, preferably using a G-suite so that only free or busy status is visible on public calendars and no other information. And this is from where the misconfiguration issue triggers.
To prevent access to Zoom meeting links by outsiders, it is advisable to restrict the Zoom meetings to users who sign in with a specific domain that can deter intruders from accessing internal company meetings. Google should immediately stop indexing Google calendar listings in search listings subject to any user wanting otherwise.
This would require a change so that users have more ongoing visibility by being aware of the risks of using public calendars. Users must be made more aware of the privacy implications of public status beyond the dialog that warns users when configuring the change.
Companies that intend to use Google for their business calendar must make their employees aware of the risks of keeping their company data secure. Going public with calendars is a calculated risk that users must learn to take.