Following the launch of Google’s messaging app ‘Allo‘ and its accompanying Assistant bot, security experts are up in arms over Google reneging on a promise better protect its users. NSA-contractor-turned-whistleblower Edward Snowden did a hot take on Allo yesterday, after its US launch, and came to the conclusion that it was nothing more than a honeypot for US surveillance efforts.
— Edward Snowden (@Snowden) September 21, 2016
The controversy goes back to Google’s developer conference, I/O, back in May. There, Google demonstrated the new application to a crowd at Shoreline Amphitheater while promising Allo would be encrypted and safe for users. I was in attendance, as was TNW alum Nate Swanner, who penned this after the announcement:
Allo uses end-to-end encryption, too — at least via an incognito mode (just like Chrome!). You’ll also be able to decide how long messages stick around.
If you’re looking for something similar, Allo is a bit like a private, semi-automated Facebook social layer that you can use privately.
Comments made by Google representatives we spoke with after the event suggested that the data sent and received by Allo would be stored, albeit ‘transiently’ on its own servers, meaning: Google won’t keep your chat logs in a place where they could be subpoenaed and it doesn’t assign an identity to the stored messages. Or, you could enable Incognito Mode to encrypt the conversation end-to-end and Google can’t read it at all.
Months later, Google backed off of the previously announced privacy feature and opted to store all non-Incognito messages by default. This is a complete 180 from its original plan and it never formally announced the change. In fact, we only found outafter Allo’s public launch.
As it stands, Allo is currently on par with most chat applications, in that it uses HTTPS to secure transmission between devices. Put simply, it’s mostly safe from hackers, but the data is readily available at Google datacenters and readable by anyone with the clearance to do so. Like Snowden said, it’s essentially a honeypot for three letter government agencies. The information is stored in an identifiable way and just waiting for a subpoena to access it. As Snowden pointed out, it’s not like the subpoenas are difficult to get; the US foreign intelligence surveillance court approved all of nearly 1,500 communication intercept requests made by the NSA and FBI last year.
That’s not to say Allo is completely unsafe. When enabled, Incognito Mode uses the same encryption protocol as Signal, which Snowden previously vouched for. By default though, it’s basically a grab bag of awful. Maybe it’s best to stick with known commodities in the security space and avoid shiny new toys like Allo.