Calendar feature gone wrong
A recent scandal shows that anyone can set their personal Google calendar to public with a few clicks, even unintentionally. If you are using a Google calendar, better check now if it is publicly visible. If so, you can manage the status here.
While this is an intended feature, it puts everyone's data at risk. Most people using online services are used to sharing private information - calendars, data stored in the cloud, etc. - with others. This is usually done via a shared link, and only the person knowing the link can access the data. This, of course, is not secure, but it is okay for non-sensitive data.
Sharing the Google calendar, however, is a completely different story: Once shared publicly, Google includes the calendar in its search index, which makes it easy for others to find your data. On top of that, anyone can easily find any public calendar by just putting the email address of the person you are looking for in this URL: https://email@example.com
Public sharing is a company risk
As the Google calendar is also being used by companies, Google's sharing feature puts sensitive company data at risk. For example, Shopify rewarded Brandon Nguyen $1.000 for disclosing that some employee's had set their Google calendar to public, thus, leaking information such as
- New hire information
- Internal presentation
- Zoom meeting links: These meetings can be accessed without login which puts a lot of internal information at risk.
Exploited by malicious actors
Public calendars can be easily searched for and the data contained exploited by malicious actors, for example for sophisticated email phishing attacks.
Some public calendars also let anyone add links to the calendar, which is a settings option in Google. This poses a severe risk as malicious actors can easily add malicious links to a public calendar without anyone noticing.
To sum it up: Is Google Calendar safe?
Using Google Calendar - particularly in a business settings - you have to be aware of the risk: Employees could publicly share calendars and, thus, leak sensitive business information on the world wide web. For that reason, it is not safe to use the Google Calendar in a business environment.
Time for a calendar alternative
This scandal shows that it is time for a Google calendar alternative. When it comes to protecting your private data, the best choice currently available is the Tutanota Calendar. This zero-knowledge calendar is fully encrypted so that no one can spy on your private appointments.
Of course, you can also share the Tutanota Calendar, but only securely encrypted. This means that not only is there no risk of accidentally sharing the calendar publicly, there is also no risk that a link of a shared calendar is passed on by someone you shared the calendar with.
The Tutanota Calendar is always shared encrypted with other Tutanota user. Only the people you share the calendar with have the ability to decrypt the data. This means that no one else, neither we as the provider nor malicious attackers, can access your private data.
This is what we at Tutanota stand for. We use built-in end-to-end encryption to secure your email and your calendar.