I appreciate Google’s focus on iOS and OS X apps, as I routinely use many of the company’s services. Its recent introduction and announcement of four new apps that are or will be first for Apple platforms or released simultaneously with other is a terrific way to pull more people into its rich ecosystem. (More competition for our attention means Apple has to work harder to retain it, and all boats float higher.)
That’s why one of the apps, Allo, stands out: Google has chosen to emphasize its core business at the expense of default user security of the kind found in iMessage, WhatsApp, and other messaging systems. Allo is a new chat system—distinct from Google Hangouts and Gchat—that is a combination of features found in iMessage and Siri. Google has a new intelligent agent, called Google Assistant, that will be on tap in conversations to provide contextual search results and actions.
Google has only given demonstrations, but it appears that Google Assistant will always be listening and respond to cues, rather than require an invocation. Because the product hasn’t shipped, we can’t examine how Google intends to define our privacy while using Assistant, although one can assume its current general privacy policy applies.
Even if you have zero interest in that feature, however, Allo won’t offer end-to-end encryption by default. That is, a casual snooper with access to network traffic won’t be able to sniff the connections of anyone on a chat to discover its contents. The encryption will terminate for all parties within a Google server, where it handles transiting data back and forth among participants.
But user-to-server encryption is nothing like end-to-end encryption. And the only reason to enable the former rather than the latter as the out-of-the-box option is for business reasons.
Incognito-ively impaired
Google’s end-to-end encryption requires flipping a switch and understanding why the mode is different than regular chat.
You can use end-to-end encryption in Allo by enabling what Google is oddly calling Incognito Mode, something that’s typically used to refer to a browser feature in which cookies, history, and other signals engaged in during a session are discarded when the mode is disengaged.
If you don’t enable Incognito Mode, then Google has put itself in a position that allows easy access to sessions by government agents, from policy departments to national security, that assert a right in whatever country in which they have authority to view those chats.
As I’ve noted repeatedly, even if you’re 100 percent behind how the U.S. handles requesting private data with and without warrants—some companies don’t require a warrant, but will respond to official requests—I’m sure I can find a few dozen countries where you’d find the legal authority’s behavior and the judiciary’s incorruptibility difficult to defend.
Google’s privacy policy also more broadly says it will share personal information if it’s “reasonably necessary” for a few different circumstances, including to “detect, prevent, or otherwise address fraud, security or technical issues” and “protect against harm to the rights, property or safety of Google, our users or the public as required or permitted by law.”
The Stored Communications Act (SCA) in the U.S. generally protects us against disclosure except in limited cases, and someone suing you can’t simply subpoena Google for your Allo messages (or Gmail or any stored online data). But there’s some wiggle room whenever an ISP believes that its own services are threatened, someone is subject to harm, or there’s a crime being committed.
This law applies to all your data stored on servers, and Google’s policies are in line with other firms. But because Google requires users to engage Incognito Mode, it’s a more substantive issue than with services that rely on end-to-end encryption all the time or by default.
Incognito Mode also leaves Google (and your data) vulnerable to an attack. While the company has an excellent internal security history, information to which it has unencrypted access is a prime plum for crackers. The less information of yours that is stored in a manner that a service provider can access, even if they effectively never examine it, the less likely that information is to be viewed by unintended parties or stolen.
Words, words, words
So why would Google opt to push out an app less likely to protect its users and expose Google to being subject to producing messages under warrant? I can’t speculate as to motives, but it’s clear that it benefits its approach of expanding intelligent search. Google gets access to your messages to analyze them, anonymously, which improves its understanding of informal, natural speech. It can also see your response to Google Assistant’s attempts to help, and use those to better train its systems.
And Google Assistant is further along the path of integrating both search and actions into a seamless stream. No longer having to say “Ok, Google” or “Hey, Siri” and switch modes while you’re interacting with someone definitely binds you closer to Google’s ecosystem and means you’re less likely to engage in activity that they can’t make money from. One assumes Google Assistant will be as likely to offer sponsored results as other parts of the Google empire.
Chris Soghoian, a security researcher of some renown who works at the ACLU, noted on Twitter, “The FBI stopped asking for backdoors a while back. Now they are just asking firms to not encrypt by default. The FBI will like Google Allo.”
That may be too cynical, though it’s his job to take a hard line on civil rights and privacy. He’s not precisely insinuating Google built its service around the FBI’s desire, but it’s certain that he’s correct: In the FBI’s view, a service that can offer up text messages when presented with a warrant is better than one that can’t.
Allo will be competing with convenience and utility most directly against the multi-platform WhatsApp, which recently also released desktop versions for Mac and Windows, and for those in Apple’s ecosystem, against iMessage. WhatsApp flipped a switch a few weeks ago that brought end-to-end encryption to all its apps and services, and iMessage was designed from the start that way.
Google wants a “good job” cookie for offering end-to-end encryption, but by putting its business interests first, it’s trying to have its cake and eat it, too.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.