Encryption in Google Allo is not on by default

by Volker Weber

The changes also suggest that parties at a much higher pay scale than Duong's are highly resistant to providing the type of end-to-end encryption that's on by default in messaging apps such as Signal and WhatsApp.

Very good analysis by Ars Technica. Allo does not make any sense to Google, if they cannot listen to your conversation. Hangouts does not have it, Talk did not have it. And in Allo you have to turn it on each and every time. For Google to do its magic it needs to know what you are talking about.

More >

Comments

I'm glad Whatsapp now encrypts everything by default. I never thought I'd prefer Whatsapp over a Google solution... but hey, still time to learn ;-)

Markus Dierker, 2016-05-21

To be fair, the headline should probably specify end-to-end encryption. This issue is more nuanced than it appears.
The traffic is encrypted (https) when leaving the phone, it's just not end-to-end encrypted *within the phone*. This means people can't sniff you traffic externally, but Google assistant can 'help you'. You know, like Clippy.

Craig Wiseman, 2016-05-21

The bar has been raised. End-to-end encryption is the only thing that counts for data in transit.

You could switch it off for Google to listen. But it has to be on by default.

Volker Weber, 2016-05-21

Craig, *on the phone* the data exists in unencrypted form necessarily. Otherwise the app couldn't show you the message you received. The point of end-to-end encryption is that the data is encrypted at the sending application and is only decrypted at the receiving application. However, what Google needs is access to the data in their data center and thus the sending app uses HTTPS to encrypt the data on its way to the server, where it is decrypted (and open for analysis, long-term storage, whatever the server owner wants). For the way to the receiving end, it is again encrypted using HTTPS.

There are a number of attack scenarios and privacy concerns towards this setup which are not applicable or as easily applicable to true end-to-end encryption.

Ragnar Schierholz, 2016-05-22

Old vowe.net archive pages

I explain difficult concepts in simple ways. For free, and for money. Clue procurement and bullshit detection.

vowe

Paypal vowe