Google security man reveals Allo will encrypt chats – sometimes.
May 24, 2016
Shah Sheikh (1294 articles)

Google security man reveals Allo will encrypt chats – sometimes.

Security industry types and leaker Edward Snowden have rubbished new Google instant messenger app Allo after its lead product engineer revealed it would not run end-to-end encryption by default.

The text-based messaging service launched at Google’s I/O 2016 gabfest last week is linked to phone numbers and sports Chrome’s porn browser incognito mode which hides sender names, deletes messages, and employs end-to-end encryption.

But the encryption is not used by default, a decision decidedly at odds with Google’s privacy position as expressed by its decision to encrypt all searches. It’s also an odd stance at a time when developers are falling over themselves to build encrypted messenger clients for a slice of the booming post-Snowden secure chat market.

The exclusion was noted and then removed by Google security man Thai Duong, a demonstrated hacker responsible for revealing high-profile vulnerabilities CRIME and BEAST.

Duong says he removed a paragraph in which he called into question the lack of end-to-end encryption – an Allo feature he developed – by default “because it’s not cool to publicly discuss or to speculate the intent or future plans for the features” of his employer.

He wrote initially that he would “push” for the ability for privacy wonks to opt-out of cleartext conversations marking incognito the default choice.

Here’s what Duong wrote, then retracted.

The burning question now is: if incognito mode with end-to-end encryption and disappearing messages is so useful, why isn’t it default in Allo?

I wish it’s the default (because it’s my feature haha :), but even if it is not default all is not lost. I can’t promise anything now, but I’m pushing for a setting where users can opt out of cleartext messaging. Basically with one touch you can tell Allo that you want to “Always chat in incognito mode going forward,” and from that moment on all your messages will be end-to-end encrypted and auto-deleted. You can still interact with the AI, but only if you explicitly invoke it, so you don’t have to give up everything for your privacy gain.

Google says if encryption were enabled it would would hinder its eponymously-named Assistant, which combs through conversations to help lazy texters be lazier.

It means little for the truely privacy-conscious, however. NSA thorn Edward Snowden says users should not trust Allo for now.

“Google’s decision to disable end-to-end encryption by default in its new Allo chat app is dangerous, and makes it unsafe,” Snowden said on Twitter.

“Avoid it for now.”

Privacy crusader Christopher Soghoian claimed on the social network that Google made the decision not to make encryption default to stay on the good side of government surveillance types.

“Making encryption opt-in was a decision made by the business and legal teams,” he says. “It enables Google to mine chats and not piss off governments.” ®

Source | TheRegister