Google Drive Links Never Expire. Thats a Problem.
Source: Dev.to
A friend of mine runs a 15‑person agency. Last year he discovered that a contractor who left 18 months ago still had access to every client deliverable, internal strategy doc, and financial report that had been shared via Google Drive links. Not because anyone intentionally kept them in the loop, but because nobody revoked anything and Google Drive links don’t expire.
Turns out, when you share a Google Drive link with “anyone with the link can view,” that link works forever. There is no built‑in expiration, no automatic cleanup, and no reminder that says “hey, this document is still accessible to 47 people, including 12 who no longer work here.”
And honestly? Most teams have hundreds of these links floating around.
The Scope of the Problem
Think about every Google Drive link you’ve shared in the last two years: client proposals, internal roadmaps, hiring plans with salary details, board decks, financial models, contracts.
Now consider how many of those links are still active right now. Unless you’ve manually gone through and revoked access one by one, the answer is all of them.
A Metomic study on Google Drive security found that the average company has over 10,000 files shared externally through Google Workspace, and only about 5 % of companies have any process for auditing or revoking external sharing. That’s a lot of open doors.
This isn’t a Google Drive hate piece. Drive is great for internal collaboration, but it was built for collaboration, not for controlled external sharing. Those are fundamentally different use cases, and treating them the same way creates risk.
Former Employees Are the Biggest Blind Spot
When someone leaves your company, you (hopefully) deactivate their email and revoke their login. But what about every Google Drive link they were shared on as a viewer? What about links they shared with external contacts from their personal email?
Most off‑boarding checklists don’t include “audit every shared Drive link this person had access to.” Doing that manually would take hours—maybe days—for someone who was at the company for a few years.
According to the Varonis Global Data Risk Report, the average employee has access to 17 million files on day one. When they leave, most of that access isn’t cleaned up because it would be too time‑consuming to do manually.
Now multiply this by every employee, contractor, freelancer, and intern who has cycled through your company. That’s your actual risk surface.
Contractors and Freelancers Make It Worse
With full‑time employees you at least have some off‑boarding process, even if it’s incomplete. But contractors and freelancers? Most teams add them to shared folders during a project and then just… forget.
I’ve seen agencies where freelance designers from three years ago still have access to active client folders. Not because anyone wanted them to, but because nobody remembered to remove them.
The freelancer probably doesn’t even know they still have access. They’re not doing anything malicious; the link is just sitting in their email or bookmarks, still live, still accessible.
“Anyone with the Link” Is Scarier Than It Sounds
Google Drive’s sharing permissions include a setting that says “anyone with the link can view.” It sounds relatively safe—after all, someone needs the link to access it.
But links get forwarded, pasted in Slack channels, embedded in email threads that get forwarded again, bookmarked on shared computers, and even indexed by search engines if they end up on a public webpage (this happens more than you’d think).
A single “anyone with the link” share is effectively publishing that document to anyone who can find or receive the URL. There’s no authentication, no verification, and no logging of who accessed it.
Google does offer “restricted” sharing where only specific email addresses can access a file. That’s more secure but also adds friction, and most people default to “anyone with the link” because it’s easier.
What Good Access Management Looks Like
Here’s what would actually solve this problem:
| Feature | Description |
|---|---|
| Automatic expiration | Every shared link should have a default expiration date (e.g., 30 days or 90 days). If someone still needs access, they can request an extension. The default should be “access expires,” not “access is permanent.” |
| Access auditing | A single dashboard should list every document shared externally, who has access, and when it was last accessed. Links that haven’t been accessed in 6 months should be flagged for review. |
| Off‑boarding integration | When someone leaves the organization, every shared link that includes their email should be automatically reviewed. Bonus points if links they created are also flagged. |
| Access logging | Not just “was this link accessed,” but who accessed it, when, from what device, and how long they spent. This matters for compliance and basic awareness. |
Google Drive has some of these features for Google Workspace Enterprise customers, but not for smaller plans, and the implementation requires manual configuration that most admins never set up.
The Compliance Angle
If your company handles regulated data (healthcare, financial, legal, educational), the “links never expire” problem isn’t just a security nuisance—it can be a compliance violation.
- GDPR requires you to demonstrate control over personal data. If client data is accessible through links you shared two years ago to people who no longer need access, you’re arguably not in compliance.
- SOC 2 audits specifically look at access controls and whether access is revoked when no longer needed. “We shared it via Google Drive and forgot to revoke it” is not an answer auditors like.
Even if you’re not in a regulated industry, your clients might be. And if you can’t prove that you’ve cleaned up stale links, you risk losing their trust—and possibly their business.
What You Can Do Right Now
If you’re reading this and feeling uncomfortable (I was when I first thought about it), here are some immediate steps:
- Run a Google Workspace admin report on externally shared files. Sort by “last modified” and start with the oldest ones. Revoke access on anything that’s stale.
- Set a calendar reminder every quarter to audit external sharing. Yes, it’s manual. Yes, it’s annoying. But until you have a better tool, it’s necessary.
- Stop using “anyone with the link” as your default. Use restricted sharing with specific email addresses. It adds friction but is significantly more secure.
- Add a “revoke external access” step to your employee off‑boarding checklist. Even if you can’t catch everything, catching some is better than catching none.
- For truly sensitive documents, stop using Google Drive for external sharing entirely. Use a tool designed for controlled, time‑limited, tracked external sharing.
The links you shared last year are still live. The question is whether that’s a problem you want to fix now or a problem you want to discover the hard way later.