After sharing some work on Observable that used a Google Cloud File to read in data, some people raised concerns they had about the data access setup. Wondering if I could get some more info on the access Observable has to a Cloud File.
I was sharing a notebook with some new Viewer accounts, which meant they had not authenticated with Google Drive before, so they had to login and allow access. However, this made some people uncomfortable since in the auth flow, a requirement is that Observable can “See and download all your Google Drive files”. This wording caused some concern. People became worried that if anything ever goes wrong (Observable is compromised, etc.), then our work Drive would be exposed and might be able to be accessed by a malicious party.
I really enjoy the convenience of pointing to a cloud file and allowing it to propagate changes instead of re-uploading data files, and I think this setup is pretty robust, but I didn’t have a good answer toward possible security concerns raised by other team members regarding individuals authenticating access to our Google Drive. Does anyone have info on the security implications of using Google Drive Cloud Files as a data source?
- I see in the intro notebook that there is a note about this necessary access for Google Drive, but I could use some assurances that our Drive would be in good hands.
Thanks in advance.
There is a “Security and Privacy FAQs” notebook Security and Privacy FAQs / Observable / Observable
It should probably (but doesn’t) mention how Oauth tokens are stored for the data integrations, but presumably they are in AWS or Heroku like everything else they mention.
The notebook that Tom linked is a good overview of our security practices. I can go a little deeper into some of the background around Google’s APIs that allow access to files in Drive.
There are two major ways we can access files in Drive. The first, the one Observable uses, prompts the user to allow Observable to “See and download all your Google Drive files”, as you’ve seen. The second only prompts the user to allow access to specific files. On the surface, that seems like that might be better, but it’s a bit more complicated.
The second, focused permission doesn’t allow permission for Observable to access that file, but for Observable to access that file in the context of your Google account. If another user with access to that file wanted to use the notebook, not only would we need to have them sign in to Google to gain access to Drive under their context, we would also have to prompt them to choose a file to share. We can’t enforce that each user chooses the same file. This would result in a confusing experience for users at best, and a different notebook output for each user at worst.
The first permission (that grants Observable access to all files), allows us to use any user’s account to access a file, so long as that user has the proper permission. That ensures that everyone sees the same version of the data in the notebook.
Given these two choices, we feel that the improved user experience is worth the extra effort we need to apply to protect the increased access level.
Thanks for the helpful context.