Security and Privacy in Google Allo

Disclaimer: This post is solely my personal opinion, as someone from outside the team who consulted on security for Allo.

Update: I erased a paragraph from this post because it's not cool to publicly discuss or to speculate the intent or future plans for the features of my employer's products, even if it's just my personal opinion.

(I want to thank K.B. and Thiago Valverde for a lot of thoughtful discussions that help me understand what normal users really need when it comes to privacy)

Unless you've been living under a rock this morning at the keynote of I/O 2016 Google announced a new messenger app called Allo. I'm not part of the Allo team, but I consult them on security, and in this post I want to share with you how I think about privacy and security in our new app.

Allo offers two chat modes: normal and incognito. Normal is the default, but incognito can be activated with one touch. I want to stress that both modes encrypt chat messages when they are in transit or at rest. The Allo clients talk to Google servers using QUIC or TLS 1.2. When messages are temporarily stored on our servers waiting for delivery they are also encrypted, and will be deleted as soon as they're delivered.

In normal mode, an artificial intelligence run by Google (but no humans including the Allo team or anyone at Google) can read your messages. This AI will use machine learning to analyze your messages, understand what you want to do, and give you timely and useful suggestions. For example, if you want to have dinner, it'll recommend restaurants or book tables. If you want to watch movies, it can buy you tickets.

Like it or not, this AI will be super useful. It's like having a personal assistant that can run a lot of errands for you right in your pocket. Of course, to help it help you you'll have to entrust it with your chat messages. I really think that this is fine, because your chat messages are used to help you and you only, and contrary to popular beliefs Google never sells your personal information to anyone.

But what if I want to stay off the grid? What if I don't want even the AI or whatever to see my messages?

That's fine. I share your concern. This is exactly why we develop the incognito mode. In this mode, all messages are further encrypted using the Signal protocol, a state of the art end-to-end chat encryption protocol which ensures that only you and your recipients can read your messages.

Most people focus on end-to-end encryption, but I think the best privacy feature of Allo is disappearing messaging. This is what users actually need when it comes to privacy. Snapchat is popular because they know exactly what users want.

Simply Secure did an awesome study where they asked a group of users what they think about secure messaging in mobile apps, and here's what they found (emphasis mine):

"After in-person, semi-structured interviews with 12 African-American New Yorkers about mobile messaging, we identify design directions to improve secure messaging.

We uncovered a contradiction between the participants’ concerns and the priorities of the developer community. Participants:
● Believe online/governmental surveillance is inevitable
Worry about physical security of mobile devices

Developers should better communicate the value proposition of secure messaging through app store descriptions.
● Secure messaging and open source weren’t understood terms
Participants proposed the term “blocking”

Secure messaging was assumed to mean auto-deleting messages from the device.
Time-limited messages were the crucial privacy-preserving feature."

So to most users what matters the most is not whether the NSA can read their messages, but the physical security of their devices, blocking unwanted people, and being able to delete messages already sent to other people. In other words, their threat model doesn't include the NSA, but their spouses, their kids, their friends, i.e., people around and near them. Of course it's very likely that users don't care because they don't know what the NSA has been up to. If people know that the NSA is collecting their dick pics, they probably want to block them too. At any rate, NSA is just one of the threat sources that can harm normal users.

You don't have to take my word (or Simply Secure's). There's a simple Android app that allows users to "lock" other apps, or "hide" photos or videos stored on their phones. Guess how many users does it have? More than 100 million users. People want to hide their stuff from other people, being it their friends or anyone close to them. This is the kind of privacy that normal users need, but we security and crypto engineers spend most of our time not working on it.

This is why I think end-to-end encryption is not an end in itself, but rather a means to a real end which is disappearing messages. End-to-end encryption without disappearing messages doesn't cover all the risks a normal user could face, but disappearing messages without end-to-end encryption is an illusion. Users need both to have privacy in a way that matters to them.

Again this is just my personal opinion, but I hope it sheds some light on why we do what we do in Allo. At the end of the day I hope that you now understand that there are people who care a lot about privacy and security at Google and are working hard to bring the best privacy and security features to our products.

Comments

Lucian Armasu said…
I disagree with the comment on the NSA. Most people "don't care" about NSA intercepting their data because they don't know any better. Just like "most people" don't care that Amazon uses SSL to protect their credit cards in transit, and they "didn't care" that their emails didn't even use SSL 5 years ago, exposing them to anyone from the local Starbucks hacker to any spy agency and criminal organization in the world.

I agree there should at least be an option to keep end-to-end encryption always-on going forward. I also hope you guys didn't left out user verification through security codes in both Allo and Duo, as I've seen no mention of that in the announcements.
Unknown said…
Can ALLO's "Incognito Mode" be turned to be ALWAYS ON so the end user can make it the DEFAULT (even if it isn't the default experience). It's going to be frustratingly unusable if every time I want to use it I have to turn it on.

Also, is ALLO going to be like Hangouts where it can run on multiple devices simultaneously (e.g., my Nexus 6, various iPads and PCs via the Chrome browser)?
Unknown said…
It's a shame that end-to-end encryption isn't on by default. ;-)
Anonymous said…
"disappearing messages are an illusion" FTFY
Unknown said…
Well, homomorphic encryption & searchable encryption is possible - in fact, we've a working version of it... @dszabosf
Anonymous said…
az mind szép és jó, csak nem sok köze van az FHE-nek az eltűnő üzenetek problémájához.

Azaz, a túloldalon ki lesz titkosítva, és pont az a támadó fér hozzá az üzenethez, akitől a küldő fél => "their threat model doesn't include the NSA, but their spouses, their kids, their friends".

Az, h menet közben, a szerver elment-e egy kereshető változatot, vagy sem (FHE vs DH), az az alapprobléma szempontjából lényegtelen.
Stefan Reich said…
So your employer's a suppressor. Gosh... who knew this!

-Stefan Reich, ex Googler