Sleuthing Google Apps: Part 1 - Google Calendar
by Estragon
In a pair of articles, I will describe straightforward but non-obvious ways to see what other people have been doing in an organization you have online access to.
In this first article, we will see how Google Calendar can be utilized to see what meetings are occurring, even when you cannot see any meeting details.
Then, in a second article, we will look at how the change-tracking mechanisms within Google Workspace applications for spreadsheets and documents can reveal intention and coordination among those who wrote them.
These techniques may be of interest to 2600 readers in organizations that make use of the Google suite of online applications (Google Workspace and related names), or similar cloud-based document management and editing platforms such as Microsoft 365.
The Google suite of applications, like any modern cloud-based software, changes from time-to-time. I tested the methods described here while writing this article and found that some things had changed since I first observed the behavior - and things can be expected to change again in the future.
About Google Calendar
This article is about Google Calendar.
This is the calendaring application in the Google suite, and it is typically accessed via a web browser or a native app on a phone or tablet. The techniques described here have only worked for me via a web browser, at the time of writing. Google Calendar (sometimes shortened to GCal) lets you keep track of your appointments and contacts. It also lets you send and receive calendar invitations to other people, get reminders of appointments, set your working hours, and so forth.
Google Calendar has great interoperability with other calendar apps, which facilitates scheduling of meeting times with attendees in multiple time zones. It also inter-operates with other Google Suite elements, such as Meet (for audio/video calls), Drive (to share documents), and others.
There are millions of people who use Gmail and can utilize Google Calendar with their regular Gmail login. My focus in this article is on the many thousands of organizations that have adopted the Google Workspace suite of applications. These organizations typically use some of their own Internet domain space to point to Google-operated systems so that their email addresses, documents, etc. are within a Google-hosted enclave, but with their own organizational name, branding, policy, etc.
First, let's get a general description of how Google Calendar is used within organizations. Then, I will share two personal stories, along with an illustration. This first article concludes with some advice on how to avoid information leakage via shared calendars.
Google Calendar Use Within an Organization
The basic scenario, which is typical of organizations that have adopted the Google suite, is that default settings hide your calendar from outsiders. For example, people who are not part of my organization will not be able to see my calendar or calendar events, and even if they are signed into Google with another organization, they won't be able to see my free and busy time.
Within my organization, by default colleagues will still not be able to see details (such as the title and description of an event in my calendar), but they will be able to see my free or busy time - that is, a view on what parts of my days are booked with calendar entries, and what parts are free. This is a very useful feature, since it helps find a meeting time that is open for all parties.
An "organization" in this context is usually associated with one or more Internet domains or departments that have chosen to adopt the Google Suite. For the scenarios I'm describing here, consider a fictitious organization like: 2600meetings.net
To adopt Google Workspace for the organization, the domain administrators of 2600meetings.net might set up Google as an email handler for the domain (by assigning MX records in the DNS and a few other setup steps). Organizational employees or designated members/affiliates would get a Google login to the 2600meetings.net application space in Google.com: mail, document sharing (via Google Drive), the suite of productivity applications (documents, spreadsheets, presentations, etc.), and a plethora of available add-ons, including some from non-Google providers.
The result is that employees of 2600meetings.net, and anyone else assigned a login to the Google portal for the organization, will be able to utilize whatever Google services are set up for them. They can even utilize the Google login to authenticate to other services (this also works for people using the regular free Gmail.com service).
The administrators of the organization's Google domain can choose which extra applications are available to their organizational users, as well as some default settings and restrictions. For example, document sharing with outside parties might be prohibited. Or a company-wide email signature might be added to outgoing emails. Or a company might even use their own authentication system (via OAuth 2.0 or a similar protocol) rather than letting people login with a Google credential - thereby tying that Google identity more closely to the organizational identity. Options like these help an organization customize the Google Workspace experience to meet its needs.
For the Google Calendar app, what I have seen is that calendar sharing within organizations allows anyone to see free and busy time by default. Sharing of additional details, like the event description, location, and other attendees, must be done intentionally by the calendar owner. No calendar details at all are visible to outsiders.
This set of defaults makes great sense for setting up meetings within the organization. There is even more granularity available, such as to assign rights to fully manage someone else's calendar (for example, an office administrator might need to set up meetings for the unit's head, and assign meetings to others in the group).
Here's the thing: visibility of free and busy time can disclose information about who is meeting together. When physical rooms are scheduled via the calendar (which is another feature), even more inferences may be made.
Example 1: Sleuthing to Find Out When Meetings Occurred
I'll tell two personal stories where unintended information disclosure via Google Calendar happened.
In this first story, I had applied for a job in the same workplace my spouse is employed by. It's a large organization, with over 10,000 employees, staff, and others who all utilize the same Google-managed application suite.
My job application had been languishing. I had been interviewed but didn't know whether another candidate had been selected. We knew who was on the search committee, and the name of the hiring official, but none of them were in the same department as my spouse. The search committee members worked in different departments, including the Human Resources (HR) department.
Google Calendar sleuthing to the rescue! Might we see indications through free/busy time whether the search committee had met after my interview? Or whether there was a meeting that included the hiring official?
In this situation, one of the people who might have also been a candidate already worked for the organization. Could we find out whether they had been interviewed?
We found that just by my spouse's viewing of free and busy time, we could get insights into the communication among search committee members.
There are two ways of doing this in the Google Calendar application. For quick investigations, just set up a test meeting and invite the people you are interested in. When you view "More Options" (or similar) in the test meeting, select "Find a time" (or similar).
You then get a side-by-side view of available time for whoever you invite - as many as you invite.
You can even see free/busy time in the past. This is key: if you want to find out what people did in the past, take a look at past meetings. If you want to find out who they were meeting with, just invite all those people to the test event and GCal will happily show where calendars were aligned in the past.
Of course, you should not actually send an invitation to those people. You just want to see when they were all scheduled at the same time, in the past or in the future.
Another way of sleuthing calendars is to use the Google feature to "Add a calendar" to your calendar view. Instead of an individual meeting, this lets you see a group of calendars, all color coded, for whatever range of times you select. Within the web interface to the calendar app, you can navigate backwards and forwards in time just like if you were trying to make a new calendar event invitation, looking for alignment of the calendars you are interested in.
In my situation, we found that the top administrators, and all the HR people, had their calendars set to be non-visible to others within the organization. Their calendars could not be viewed, and there was no indication of free or busy time.
However, other people on the search committee had their calendars available for viewing. We looked back in time to the day of my telephone interview, and could see them all lined up, in the same "busy" block of time, for my interview.
It was then easy to look for other times they were lined up and make an educated guess that those were the days/times for the other interviews. Scan forward a week or so, and we could see when the committee had likely met to discuss the candidates.
Did they interview the inside candidate? It looked like they didn't - the inside candidate only had occasional overlapping meetings with some search committee members.
What about meetings involving the administrative team, when a candidate would be presented to the hiring official? Well, we could not see the top administrator's calendar, nor anyone in HR. But there was someone who reports directly to the top administrator on the search committee, and their free/busy time was available. Also, we found that the room where the search committee met was in the calendaring system - so that people could book the room for their meetings.
We were able to infer the search committee had met, that the internal candidate was not interviewed, and that the search committee had not yet had a meeting to present their recommendation to the top administrator. All of this was simply by looking at the alignment of free/busy time for those people who had made it viewable across the organization.
Example 2: Sleuthing Collusion
Another example of sleuthing via shared calendars occurred when I and some other people in my workplace suspected that a group of coworkers was colluding on ways to damage the broader organization. Without going into detail, the basic situation is that we had a big membership organization, in which people from multiple other organizations collaborated.
We had a neat Google Workspace setup, where everyone in all the constituent organizations had access to the same shared platform: calendaring, documents, etc. But everyone had a login and email associated with their own organization (functioning as a sub-organization within the Google space).
Here's a made-up example to illustrate.
In the 2600 context, you could imagine a single Google domain for 2600meetings.net, and then people in Austin would have austin.2600meetings.net or austin2600.2600meetings.net (or even weareaustin2600.org - they don't need to share the same top-level domain).
This type of setup, in my situation, let people create invitations via Google Calendar with people from across the whole broad organization. We could also share documents and other activities on the Google platform. Very convenient.
When my coworkers and I suspected there had been some meetings among people working against the broader organization, we used the same method as above to look for alignment in calendars, across several people. We didn't have access to see all the calendars, but we could see enough. This also served to discover a few people who we were not sure were part of the collusion or not, and rule out some others.
Since one of the collusion meetings occurred right after an in-person meeting that was publicly known, we even knew where this took place - all without being able to see details of anyone's calendar events.
Some people's calendars were completely unavailable, just like the top administrator in my earlier example, so we couldn't know for sure whether they were involved or not.
Aligned free/busy time for a group of people.