End-to-end encryption in messaging apps is meant to protect users’ privacy, but the way Google did it in its new Allo app may perversely endanger private communications, according to Electronic Frontiers Foundation.
Even before Google launched Allo, the app was criticized by privacy advocates over Google disabling end-to-end encryption by default, which differentiated it from Apple’s iMessage and WhatsApp, which do encrypt end-to-end by default to ensure only the sender and recipient can see a message.
In Allo, messages are only encrypted in this manner if the user selects Incognito mode, but in default mode the app only encrypts messages in transit.
Once chats in Allo’s default mode reach Google’s servers they’re available for its machine learning algorithms to analyze and make smart suggestions, like automating a reply after recognizing an received photo. Chats sent in Incognito mode are end-to-end encrypted, but since they can’t be analyzed by Google’s algorithms it sacrifices the app’s Smart Reply and Google Assistant features.
On the upshot, Google has made Incognito mode easy to use since switching it on doesn’t require digging through settings but simply tapping on the main interface to select which mode the user wants a chat to be in.
However, EFF today argued that while Allo makes Incognito convenient to use, it may ultimately be “dangerous for all users”, in particular because Google uses the term “Incognito” in Chrome to refer to when Chrome isn’t storing web activity is the browser history, but otherwise has nothing to do with end-to-end encryption.
“Google's decision to use the same label for these two very different sets of security guarantees is likely to cause users to misunderstand and underestimate Allo’s end-to-end encryption—or, even worse, overestimate Chrome’s incognito browsing mode and expose themselves to more risk than the name “incognito” leads them to expect,” EFF researcher Gennie Gebhart writes.
But Allo’s optional Incognito mode may also produce a worrying side-effect that could make it easier for a criminal hacker or government authority to determine which chats are worth targeting.
As Gebhart argues, since Incognito is billed as a feature for sending private or secret messages, it encourages users to select that mode when they’re sending valuable or compromising data, such as credit card information, a sext or details to coordinate a political rally.
The feature’s optional nature essentially flags to an attacker where the valuable information lies whereas if all messages were encrypted by default an attacker wouldn’t have a clue where to start looking.
The same concept applies at a community level, where if only targeted individuals use end-to-end encrypted apps, it signals which apps to go after. In other words, as Gebhart contends, encrypting your communications, even if you have nothing to hide, helps protect those people who do have something to hide — an argument that touches on the ongoing encryption debate over law enforcement access and the rise of secure messaging apps.
So what should Google do instead of its two-mode option? According to EFF, it should split the app in two and offer a truly secure version and a less secure one, or it could offer a setting in Allo to automatically end-to-end encrypt and auto-delete all conversations all the time.
An Allo developer did actually suggest such the setting option in a personal blogpost following the initial furore over encryption being off by default in the app. However that passage was quickly deleted.