Privacy loophole? Another user creating an app from same sheet

Thought of a possible privacy issue that could be a concern in collaborative worksheets.

I have a google sheet that contains work-related info that only signed in users should be able to see. That is all taken care of by the email whitelist, and I have also checked to my satisfaction that once the email is removed from the whitelist the person can no longer access the app. So we simply need to remove the email of the employee who has left.

But what if, during the course of collaboration, the employee had used the same spreadsheet to create a Glide app for himself? This would mean that the data would permanently be visible via the unauthorized version of the app, and they can even put it up as a public app.

As far as I understand, the spreadsheet is shared with Glide and therefore removing users from the main Google Sheet access itself does nothing. So doesn’t this pose a data privacy issue in the scenario that I mentioned above?

I don’t know if I’m being paranoid, but this has been weighing on my mind ever since I thought it up. If the Glide app can be created only by the owner of the spreadsheet, then this issue is automatically taken care of, but I’m not sure that is how it works.

Glide is amazing and I deeply appreciate it, but is this something users need to worry about?

So you are saying that if an employee had access to the app as well as the sheet…created another app using the spreadsheet that was shared with them…then left the company…would their app still work once you removed them from the shared access to the sheet? That might be a good experiment to try. Maybe create a simple app and sheet and try it with a fellow employee, or create another account. Might be good to have a company Gmail account anyway.

My first thought would be that once access to the sheet is removed for that person, their glide account would also no longer have access. Since the same account is used for both, Glide just passes thru the credentials to Google. In normal circumstances, only you have access to your sheet. Glide can see it only because you are logged in with your same gmail account.

Of course there is nothing stopping the employee from making a snapshot copy of the sheet before leaving. That’s a risk any company would have.

I wouldn’t have worried too much if it was a static sheet. However this one that I’m converting to an app is a living document, it will keep getting updated.

Will report back here once I test this with another email id.

If someone in your organization makes a public Glide app from a spreadsheet with private data in it, this is an issue whether you have made a separate, private app or not.

We plan to introduce an ‘organizations’ feature that would allow your company to create a Glide account and collaborate on apps there. I imagine you might want an organization-wide policy that prevents creating public apps from private sheets?

1 Like

Yes, exactly. Along with preventing creation of public apps from an organization, there should also be a feature to transfer all the apps created by a member to the admin when the member email is removed from the organization. Else they may simply create a private app with other emails that can continue accessing the sheet.