This project is produced by Sentinel, Tinig ng Plaridel’s investigative and data reporting arm. We are now accepting news tips through our email and official social media accounts.
Alyssa*, a University of the Philippines (UP) student, was searching for a class requirement in the university’s Google Drive when she unexpectedly came across personal documents belonging to other UP students and faculty members she is not acquainted with.
“Most of our documents ay tungkol sa patients na nahahandle namin, so may risk na ma-leak yung personal information nila,” said Alyssa. “But actually hindi lang din for us yung takot, we felt na hindi rin safe especially sa mga professors, other students, and mga administrative documents na pwedeng ma-leak.”
Reports similar to Alyssa’s prompted UP Information Technology Development Center (ITDC) to send an email blast on June 26, 2024, warning students and university offices from sharing files with all UP Google Workspace users.
“This is a systemwide concern so kaya nagkaroon ng systemwide ding announcement from ITDC informing users not to mistakenly choose the [sharing] option na [maging] publicly available ang mga Google Drive files,” said UP mail admin and ITDC Senior Associate Victor Mamaril.
The general rule is that as long as the account belongs to the up.edu.ph domain, uploaded files in Google Drive are at risk of being visible in cloud searches. ITDC advised users to restrict access to their files and refrain from choosing the “anyone with the link” and “University of the Philippines” options in Google Drive.
But despite multiple email blasts, hundreds of files are still unknowingly being shared with the whole domain. Tinig ng Plaridel’s investigation found documents from various student organizations, student councils, and even UP administrative offices. Some of the files contained sensitive and personal information such as lists of those who obtained UP vehicle stickers, class submission folders and medical records.
The fact that files remain inadvertently accessible to all UP users shows that there is a lack on the part of both the university and Google to ensure users understand how to safeguard their files, said Kim Cantillas, chairperson of Computer Professionals’ Union.
‘Unintended’ consequence
Promoted as the “future of work,” Google Workspace emphasizes its enhanced working system where only a link is needed for groups to collaborate on the same document in real time. Since UP shifted its learning management system to Google 11 years ago, TNP found that the oldest file in the domain was also created in 2013.
Once a student uploads a file, the default sharing setting is restricted to those who are added to the document through an email address. There is also an option where an individual can either share their files with anyone with access to the link or those who belong in the UP domain.
Enabling the sharing links would not make a file automatically searchable to other UP users. However, when a user decides to limit file access to the UP domain, a drop-down box will appear letting a student or a faculty member choose whether to make their document searchable or not.
In January alone, around 827 MB of files were shared within the whole UP domain, dominantly consisting of academic and personal documents. More than half of the located files were stored inside a Google Drive folder shared with the “University of the Philippines” option.
Some of the files that TNP found through cloud search were, but not limited to:
- Election forms, minutes of meetings, endorsement letters, solicitation letters, letter templates from university student councils
- Internal organization documents, trackers, and databases
- Photos uploaded by students
- Class files such as syllabus, worksheets, and class drive folders
- Medical records
- Undergraduate and Graduate Theses, and PhD Dissertations
- Files from the university libraries
Tinig ng Plaridel approached some organizations and offices whose files were exposed and confirmed that they did not intend to share the listed documents with the public. This issue may have stemmed from the users’ “misunderstanding” of the Google Drive sharing option, according to University Computer Center (UCC) Junior ICT Manager Wil Maquinta.
“Usually pinipili to ng tao [‘University of the Philippines’ option] for the convenience of it kung kailangan nilang ishare. However, for some reason biglang [nagiging] available na siya [and] searchable na rin siya [in UP Domain] which is supposedly hindi dapat,” said Maquinta.
Alyssa admitted she did not know that files would already be visible once choosing the share to all UP users option.
“Ang akala ko, pag naka ‘University of the Philippines’ ‘yung access, syempre kailangan mo ng link muna to have an access then ma-oopen mo siya using your UP account lang. But hindi pala, accessible siya sa lahat ng user sa UP system kahit through the google applications lang,” she said.
It was not only Alyssa who noticed the same incident occurring, as Maquinta confirmed that UCC has already received reports on this issue and reported them to ITDC last November 2023. However, Mamaril said the only report they have on record was made in July 2024. Although a month before, in June 2024, the office released an advisory warning UP users from misusing Google Drive sharing options.
But Alyssa said that email blasts may not be “enough” judging by her friends’ reaction when she shared her discovery. “Nagulat sila [friends] nung kinwento ko ‘yung experience ko. So I guess, hindi lahat nabasa ‘yung email na ‘yun, so not everyone is aware pa rin,” said Alyssa.
While users bear some responsibility for safeguarding their files, Cantillas said it remains the university’s duty to ensure the UP community is aware of the implications of file-sharing options.
“Given na meron kayong nasesearch na files and databases na hindi niyo dapat siguro nakikita, kahinaan yun sa ng organization itself,” said Cantillas.
University’s accountability
The UCC considered whether they could solve the issue beyond launching an information drive. However, Maquinta said it would be difficult for the office to reach out to every user to fix their sharing setting and manually search for all their files in the domain.
“We do not have the power to force [na] tanggalin yan sa mga tao kasi account mo yun eh, ikaw nag-share,” said Maquinta. “Kahit kami admin ng up mail dito sa diliman, wala kaming power to take over your files to secure it back. It has to be an action done by the owner of the file which is the user.”
Maquinta added they also coordinated with ITDC to seek a better approach to solving the problem, but the office replied it was the users’ responsibility to protect their files. “I think it’s not an actual leakage pero it is a security concern, it’s a logical security concern parang unintended consequence siya [ng pag-share ng files],” he said.
But such a mishap could have been prevented if UP had maximized efforts to equip its users with the security details of Google’s service package upon adoption, said Cisco Senior Consulting Engineer Edwin Ricohermoso.
“Pag bumili ka ng services kay GDrive, may mga proper documents and security enclosures yan. Responsibility ni UP Admin na i-check lahat ‘yun,” said Ricohermoso. Cisco is a worldwide technological company calling for an inclusive future by combining society with technology.
In this case, the personal information controller—the ITDC and each campus unit’s IT office for this situation—is responsible for ensuring that private data is protected from unauthorized use, according to Chapter 3, Section 14 of the Data Privacy Act.
Cantillas, on the other hand, said ITDC should not be the only office concerned with this matter.
“[M]as nanggagaling dapat sa taas [UP administration] yung pag-ensure na may awareness or education yung mga gagamit ng tools niya [Google Workspace] kung paano ito gamitin safely, securely, [and] efficiently,” said Cantillas emphasizing ITDC should not be the sole concerned office as they are not the ones deciding what actions to take.
However, Maquinta said the issue is already “beyond UP’s control” because other educational institutions face similar data sharing problems in their respective Google Workspaces.
Beyond the cloud
Makati Science High School, for instance, had the same experience as UP, said the school’s Office-in-Charge Owen Ombid. This prompted their IT department to send a 30-day prior notice before pulling out accounts no longer part of the institution.
“Mahirap kasi mae-expose kami [Makati Science High School community], open na open [ang files], makikita nila lahat kung anong [data] meron kami,” said Ombid.
Students currently enrolled in other higher educational institutions, such as De La Salle University, the University of Santo Tomas, and Ateneo de Manila University, can also access files from individuals they do not personally know in Google Drive.
In an email correspondence with TNP, Google Press said the schools’ admin console has the option to restrict and remove members, or directly delete the entire “target audience” set by the organization’s administrators.
“Our products are designed to allow each organization to set its own sharing permissions in the manner that best fits its specific needs. These settings are managed by an organization’s administrator(s),” said Nicholas Tan, Southeast Asia’s Communication Lead for Google Cloud.
The company’s policies also said they are not liable for any “indirect or consequential loss” from using their products. However, Google is still obligated as a paid third party to ensure organizations availing of their workspace are properly educated on how to use their features, said Cantillas.
“May accountability din dapat ang Google kasi pinapagamit niya ito sa isang malaking organization,” said Cantillas, adding that the company should have also considered how its customers would perceive the use of each sharing option.
“Dahil pinagkakakitaan ni Google ang products at services na ginagamit ng users nito, dapat lang na user-centric ang design ng mga produkto nila, lalo pa at iba’t ibang tipo ng datos ang pinoproseso at inilalagak gamit ang teknolohiya nila,” said Cantillas.
For now, what UP can do is conduct a system-wide security audit to help examine the weaknesses in the implementation of Google Workspace in various university departments and offices.
“Mula doon sa audit […] makakabuo ng mga next steps kung as simple ba yan as pag-update ng mga privacy or ng access doon sa mga existing documents, existing files or kailangan ba ng capacity building, orientation, [o] written policy,” said Cantillas.
ITDC said in an email correspondence that they have been offering webinars to “enhance the digital knowledge and skills of students, faculty and staff.” The office has also recently sent an email blast to remind UP GDrive users of what each file sharing option entails.
But the university’s efforts can only go so far in preventing files from being unknowingly shared. On the very day this article was written, Tinig ng Plaridel found 84 shared files. Until proper accountability is enforced, students’ and teachers’ security remains at risk, said Cantillas.
“Hindi siya pwedeng parang basta mo lang bibigyan ng access [at] basta mo lang bibigyan ng tools yung mga members ng organization mo,” they said. “May responsibility ka na turuan sila kung paano maayos na gamitin yung mga ganito at ipa-appreciate sa kanila ‘yung pangangalaga sa data, sa privacy at sa security.”
EDITOR’S NOTE: Alyssa’s name has been changed at their request for privacy. The headline was also revised to ensure precision in describing the situation.
