Google this week announced a new messaging app with strong encryption that even the government, with a warrant, can't wiretap. But there’s a catch: You have to turn on that feature yourself.
The tech titan’s plan to launch Allo this summer without end-to-end encryption by default has drawn withering criticism from some quarters.
But other privacy advocates are more positive.
“I, too, would prefer that Allo be encrypted by default,” said Kevin Bankston, director of New America’s Open Technology Institute. But, he added, “all in all, this is going to be a net increase in the amount of encrypted messaging out in the world. And that is ultimately a good thing.”
With Allo’s debut, Google is taking a step toward joining the growing number of tech firms embracing “end-to-end” encryption, which protects the privacy of text messages and voice and video calls in such a way that even with a warrant, the government can’t access them. But by requiring users to turn on the feature, Google is lowering the odds that average users will avail themselves of the option, critics such as Snowden say.
Apple’s iMessage launched in 2011 with default end-to-end encryption. WhatsApp, Facebook’s messaging app, last month announced it had full, end-to-end encryption by default on all platforms — including Android, iPhone and BlackBerry. Apple also launched its video call FaceTime feature in 2010 with default strong encryption. That means that even when served with a warrant, these firms cannot provide law enforcement access to WhatsApp and iMessage chats.
FBI Director James B. Comey has endorsed the benefits of encryption. “I love strong encryption,” he said in a speech last month. But, he said, “what’s changed in the last few years is that it’s now become the default, covering wide swaths of our lives and covering wide swaths of law enforcement’s responsibilities.” He has called for a balancing of privacy and public safety needs in which firms maintain a way — usually with a key — to get the government access to the communications it seeks.
So Google’s move on balance is welcome, said one law enforcement official, who spoke on the condition of anonymity because they were not authorized to speak about the issue on the record. “Having this as an opt-in feature is certainly useful to us.”
Google designed Allo without default end-to-end encryption to make it easier to mesh the chat app with Google Assistant, a new conversation bot that can hold natural-sounding discussions with users, a Google spokesman said. It’s a competitor to Apple’s Siri, Amazon’s Alexa and the many bots created for Facebook’s Messenger app. Assistant is designed to tap into Google’s wealth of data about users to provide tailored recommendations, from the best movies to see to the quickest route to the theater.
Because Google may need to run queries made of Assistant on its own servers, the official said, it’s not feasible to offer end-to-end encryption by default. Users who opt to use the encrypted “Incognito” mode may thus lack some Assistant features, he said.
Some tech experts said it is possible to combine end-to-end encryption with the artificial intelligence bot feature. “There’s always a way,” said Morey Haber, vice president of technology at the cybersecurity firm BeyondTrust. Smartphones, for example, could do some of the processing on the device. But, he said, it would be difficult to fully process queries to Assistant without the power of Google’s remote servers, which would need to see the unencrypted queries. “I don’t think the technology is there yet,” Haber said.
The company said that even the standard chat mode conforms with standard encryption practices; messages between Google and users will be encrypted, but the Google Assistant system will have access to what users are sending.
Still, the company’s decision to forgo default end-to-end encryption has raised questions — even internally.
A Google engineer who worked on Allo's security wrote a personal blog post Thursday obliquely criticizing the lack of such strong encryption. “If incognito mode with end-to-end encryption … is so useful, why isn’t it the default in Allo?” Thai Duong wrote. He also said he would push for “a setting where users can opt out of cleartext [unencrypted] messaging.” Both lines were quietly removed later that evening from his post, with Duong adding a note that he erased a paragraph “because it’s not cool to publicly discuss or to speculate the intent or future plans for the features of my employer’s products.”
Google declined to comment on whether it pressured Duong to edit his post.
Christopher Soghoian, American Civil Liberties Union principal technologist, said by making the encryption feature an opt-in, “Google gets the maximum press value out of the encryption tech while guaranteeing that it is used by as few people as possible.”
Google, he said, “has given the FBI exactly what top officials have been asking for.”
Bankston said the opt-in will depend on how easy the firm makes it to do so. “That,” he said, “will turn a lot on the design.”
This post has been updated.