Encryption in Google Allo is not on by default

by Volker Weber

The changes also suggest that parties at a much higher pay scale than Duong's are highly resistant to providing the type of end-to-end encryption that's on by default in messaging apps such as Signal and WhatsApp.

Very good analysis by Ars Technica. Allo does not make any sense to Google, if they cannot listen to your conversation. Hangouts does not have it, Talk did not have it. And in Allo you have to turn it on each and every time. For Google to do its magic it needs to know what you are talking about.

More >

Comments

I'm glad Whatsapp now encrypts everything by default. I never thought I'd prefer Whatsapp over a Google solution... but hey, still time to learn ;-)

Markus Dierker, 2016-05-21 09:18

To be fair, the headline should probably specify end-to-end encryption. This issue is more nuanced than it appears.
The traffic is encrypted (https) when leaving the phone, it's just not end-to-end encrypted *within the phone*. This means people can't sniff you traffic externally, but Google assistant can 'help you'. You know, like Clippy.

Craig Wiseman, 2016-05-21 14:34

The bar has been raised. End-to-end encryption is the only thing that counts for data in transit.

You could switch it off for Google to listen. But it has to be on by default.

Volker Weber, 2016-05-21 14:45

Craig, *on the phone* the data exists in unencrypted form necessarily. Otherwise the app couldn't show you the message you received. The point of end-to-end encryption is that the data is encrypted at the sending application and is only decrypted at the receiving application. However, what Google needs is access to the data in their data center and thus the sending app uses HTTPS to encrypt the data on its way to the server, where it is decrypted (and open for analysis, long-term storage, whatever the server owner wants). For the way to the receiving end, it is again encrypted using HTTPS.

There are a number of attack scenarios and privacy concerns towards this setup which are not applicable or as easily applicable to true end-to-end encryption.

Ragnar Schierholz, 2016-05-22 12:43

Recent comments

Florian Vogler on Microsoft Tech Summit: Ab in die Wolke at 16:05
Jochen Kattoll on BackBerry Motion :: Mein anderes Telefon at 15:43
Peter Meuser on Microsoft Tech Summit: Ab in die Wolke at 15:38
Stephan Perthes on One Thousand Move Goals at 12:46
Andreas Fischer on BackBerry Motion :: Mein anderes Telefon at 11:31
Volker Weber on Microsoft Tech Summit: Ab in die Wolke at 10:44
Roland Dressler on Microsoft Tech Summit: Ab in die Wolke at 10:22
Volker Weber on One Thousand Move Goals at 09:58
Peter Meuser on Microsoft Tech Summit: Ab in die Wolke at 09:41
Volker Weber on BackBerry Motion :: Mein anderes Telefon at 00:36
Daniel Kirstenpfad on One Thousand Move Goals at 19:47
Jochen Kattoll on BackBerry Motion :: Mein anderes Telefon at 18:48
Fotios Nisiropoulos on One Thousand Move Goals at 18:22
Detlev Poettgen on One Thousand Move Goals at 18:09
Florian Vogler on Microsoft Tech Summit: Ab in die Wolke at 16:27
Leo Wiggins III on One Thousand Move Goals at 14:55
Nick Coenen on Ferrari Evolution at 13:16
Andreas Fischer on Your favorite messenger at 08:58
Peter Meuser on Microsoft Tech Summit: Ab in die Wolke at 08:41
Volker Weber on Microsoft Tech Summit: Ab in die Wolke at 21:37
Florian Vogler on Microsoft Tech Summit: Ab in die Wolke at 20:35
Alan Lepofsky on Attending IBM think 2018 at 14:08
Andy Mell on Android Enterprise Recommended at 12:28
Martin Kautz on Om Malik :: The #1 reason Facebook won’t ever change at 11:27
Viktor Dexheimer on Ferrari Evolution at 05:18

Ceci n'est pas un blog

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Contact
Publications
Stuff that works
Amazon Wish List
Frequently Asked Questions

rss feed  twitter

Local time is 18:36

visitors.gif