
Google’s new Chat service shows contempt for Android users’ privacy - ColinWright
https://www.amnesty.org/en/latest/news/2018/04/googles-new-chat-service-shows-total-contempt-for-android-users-privacy/
======
therealmarv
This accusation is wrong. Chat is using a protocol which is a successor of
SMS. It's an interface to this protocol and not a 100% WhatsApp/Telegram copy.
And this will be also the reason it will fail... it's not all on Google's
control, even the network providers will have control and iOS will be missing
(that means no entire market reach). The problem with this new standard (RCS I
think) is that it was never designed for end to end encryption.

~~~
crystaln
Apple has implented a solution with iMessage, albeit a proprietary one only
for iOS communications.

If Google prioritized the privacy of users thet would build a similar product
as the default Android messaging service, hopefully as an open platform.

I have been very reluctant to switch to Android for precisely this reason. It
represents a lack of concern for user privacy.

~~~
kyrra
It is easy is to send an insecure message via iMessage. When the app will
fallback to SMS, there isn't any clear indication that this is less secure.
Sure you get the green vs blue bubbles, but security isn't exactly pointed
out.

~~~
throwahey
SMS fallback can be easily disabled.

~~~
ajross
And secure chat applications can be easily installed. The whole kerfuffle here
is about defaults.

------
dcomp
I think RCS is being framed incorrectly. It isn't a competitor to
WhatsApp/telegram/iMessage it's an update to SMS

If they bought out another competitor all that would happen would be one more
chat client that 20% of your contacts use if that.

With RCS, in order to supplant SMS it requires co-operations with telco. It's
there to see increase base line support.

Maybe telco would have been okay with e2e encryption although I highly doubt
it. Once the baseline RCS standard is put in place. It maybe possible to
implement e2e with an OTR client side extension.

RCS is the successor to or replacement of SMS/MMS. I for one will be happy
when I no longer have to ask: "how do you want me to send that to you? Email
WhatsApp or telegram?"

~~~
Eridrus
> Maybe telco would have been okay with e2e encryption although I highly doubt
> it.

I don't think it's even about whether they would be "ok" with it, telcos are
highly regulated, it is probably illegal to have e2e crypto in a carrier
protocol in some jurisdictions.

------
nmeofthestate
Reminder: millions of people send SMS's and don't care one bit about
encryption, and they only use WhatsApp because it's free to send messages, and
pictures are supported.

~~~
fredley
Millions? Literally almost every user of WhatsApp. Those who care about
encryption are a miniscule minority.

~~~
0xfffff
Just because people don't care about privacy, doesn't mean they dont deserve
or in fact need it. But in fact most people care, or assume they have privacy.
why does Google not show a red icon to users that these messages are not
protected for instance. something browsers do? A company like Google should
care about their user's privacy, but well thats the entire point of the
article.

------
kerng
Many years ago (starting 2010 or so) Google "simplified" their privacy
policies, meaning they threw them out of the window and have a central profile
about you and your behavior. Some of Google's tactics are creepy, like
Microsoft late 90s creepy. They should be called out more often.

Reference to some of the things that happened back then:
[https://www.pcworld.com/article/248715/googles_tracking_plan...](https://www.pcworld.com/article/248715/googles_tracking_plan_offers_users_benefits_privacy_concerns.html)

------
monkeynotes
Well, I guess someone missed the point that the carriers control SMS, not
Google. 'Chat' is a consumer friendly name for Rich Communication Service
(RCS) which is built on top of SMS. Google is simply advocating adoption of
RCS after failing to get adoption for any of their own rich messaging
protocols.

Blame lazy, cash obsessed carriers if you want to blame anyone. Next we will
be blaming Google for making a phone app that only uses A5/1 stream cipher
which the FBI can intercept and decrypt easily when they want to snoop[0].

Yes Google failed so many times to compete with iMessage, but they did try. I
can't blame them to rethink their strategy, I mean most people are using SMS
already, I for one would like to at least be able to send full res photos.

[0] [https://www.washingtontimes.com/news/2013/mar/29/feds-fbi-
wa...](https://www.washingtontimes.com/news/2013/mar/29/feds-fbi-warrantless-
cell-tracking-very-common/)

~~~
ajross
There are sort of two issues here:

The first is that RCS is a flawed specification with inappropriate features
for the modern world and shouldn't be adopted. It's being pushed hard by
carriers, among others.

The second is that somehow Google has ended up as the punching bag for this
gripe for the crime of implementing RCS. I mean... no, that's not really fair
(and most of the folks here really should know better). But... meh. I mean,
they still implemented it.

People need to stop looking to carriers and software giants to secure their
privacy. There are multiple good options in the open source world for secure
messaging. We need to be pushing those.

~~~
mankash666
I bet the reporter willfully hung this around Google's neck though it was a
carrier standard. The story's just bait-ier with an evil-Google vs people plot

------
proaralyst
I really wish there were a third phone OS: I don't want to buy iOS devices
because the hardware is only manufactured by Apple and on Android you can't
get away from Google.

There's the new Purism phone but it probably won't be able to run WhatsApp.

~~~
Tepix
Screw WhatsApp. That's what you should be getting away from anyway. And
install CopperheadOS on your phone. It doesn't use any Google services. It
even has a list of its defaul connections made by the OS:
[https://copperhead.co/android/docs/usage_guide#default-
conne...](https://copperhead.co/android/docs/usage_guide#default-connections-
made-by-copperheados)

Unfortunately, support for Nexus devices will soon be gone and the Pixel 2
devices with pre-installed CopperheadOS are quite pricey for private use.

~~~
opencl
You can always just compile it yourself for your own Pixel 2 device. Or use
LineageOS which runs on a far wider range of devices and doesn't charge $500
for binaries.

------
Oletros
> The information obtained includes vehicle speed, coolant and oil
> temperature, throttle position, engine temperature and engine revs. This
> information is then reportedly sent from Android Auto to Google on a real
> time basis. Android Auto is now a component of Google Assistant.

This was denied by Google, isn't?

~~~
opencl
It's ironic that the photo for the linked article about the Android Auto
allegations is a Tesla, because Tesla does not support Android Auto and
actually _does_ collect that sort of information.

[https://www.tesla.com/about/legal](https://www.tesla.com/about/legal)

------
_bxg1
This is pretty alarmist. In addition to the other comments here about RCS
simply being SMS++, privacy and Google have been incompatible for a long time
already. If you care about privacy, don't use Google software in the first
place.

I always have to plug LineageOS on articles like this. It's a wonderful
Android ROM which provides additional privacy settings and which you don't
have to install Gapps with. I'm happily using a modern smartphone without a
single piece of software from the Big Five tech companies.

------
JustSomeNobody
From what I understand, RCS is not encrypted so that the carriers can
implement it as a SMS replacement and still comply with wire tapping
regulations (IANAL, so if anything I just said is wrong, please respond).

However, once RCS is implemented by the carriers, I see no reason Google's
Allo couldn't be updated to use RCS and still implement an encryption layer on
top of it.

~~~
pmontra
People will keep using WhatsApp, Messengwr and to a lesser extent Telegram.
Chat is the nth Google attempt in that space and everybody remembers that the
previous ones failed. That memory is all it takes to make this one fail too.
The only chance: make it replace the stock Messaging app, the one for SMSes.
Then route messages trasparently to the SMS gateway or to RCS.

~~~
Eridrus
> The only chance: make it replace the stock Messaging app, the one for SMSes.

This is exactly what is happening.

------
jasonkostempski
MRW I stumbbled onto the fact that Gboard has a opt-out keylogger.

Edit: Title change made my wording look like a drunk redditor stumbled over to
HN. The original title was "Google Accused of Showing 'Total Contempt' for
Android Users' Privacy". I too accused Google of 'Total Contempt'.

~~~
berberous
>> MRW I stumbbled onto the fact that Gboard has a opt-out keylogger.

Explain?

Edit: I think the parent poster is incorrect insofar as it may be read to
imply that keystrokes are sent to Google. While on iOS you can indeed give
Gboard (or any keyboard) "Full Access", Google's privacy policy for iOS GBoard
is below (Android's is similar). It seems reasonable to me, and only logs your
keystrokes _on your device_.

What Gboard sends to Google:

\- Gboard sends your searches to Google's web servers to give you search
results.

\- Gboard also sends usage statistics to Google to let us know which features
are used most often and to help us understand problems if the app crashes.

What Gboard doesn't send to Google:

\- Other than your searches, Gboard doesn't send anything you type to Google,
whether it's a password or chat with a friend. Gboard will remember words you
type to help you with spelling or to predict searches you might be interested
in, but this data is stored only on your device. This data can't be accessed
by Google or by any apps other than Gboard.

\- If you’ve turned on contacts search in Gboard search settings, this allows
Gboard to search the contacts on your device so you can easily share. None of
these queries are sent to Google.

~~~
Eridrus
It's probably training the language model powering word suggestions.

~~~
TotempaaltJ
Gboard updates the model on-device and sends the updates to Google, meaning no
keystroke data needs to be sent to Google while still improving the model with
real world usage:

> "[Federated Learning] works like this: your device downloads the current
> model, improves it by learning from data on your phone, and then summarizes
> the changes as a small focused update," scientists Brendan McMahan and
> Daniel Ramage said. "Only this update to the model is sent to the cloud,
> using encrypted communication, where it is immediately averaged with other
> user updates to improve the shared model."

[https://www.infoworld.com/article/3188430/artificial-
intelli...](https://www.infoworld.com/article/3188430/artificial-
intelligence/android-gboard-smartens-up-with-federated-machine-learning.html)

~~~
Eridrus
It probably still keeps a copy of your typing locally though.

~~~
UncleMeat
If that were true, so what?

------
fredley
I dream of a service which I can use to send a message to a contact. It knows
if that contact is on WhatsApp, Telegram etc. (or plain old SMS) and chooses
the best option for that contact automatically. It merges the inbound messages
from any of those apps I have so they're all in one place.

I no longer have to use all [n] chat apps installed on my phone just because
for each of them, there are a few people only contactable via that particular
app.

~~~
ecshafer
This was a solved problem back in the day. Pidgin was a desktop application
that let you put aim, msn, yahoo, or whatever chat you wanted together. You
had one list and you messaged people on there. It was the same regardless of
what platform they were on. It was great.

~~~
glenneroo
The Windows equivalent was Trillian, which even had IRC support.

------
zelos
> Google’s own app Allo has an option for end-to-end encryption but the
> company says it will no longer invest in it.

I really don't understand Google. Wasn't Allo a tent-pole item at Google I/O a
year or so ago, and now it's no longer being invested in?

~~~
telchar
They're the oil-rich nation of companies. They can afford vanity projects and
woeful mismanagement as long as that sweet sweet advertising money keeps
coming in. The sectors of the company that keep that running are run well, but
side projects like this seem to come and go with little rhyme or reason as far
as I can tell. Much like how the militaries of some countries are well-run and
competent (and control the oil) while the rest of the government is a clown
show.

~~~
carapace
Yes, exactly this. "You can get away with all kinds of BS when you're sitting
in an open fire-hydrant of money." One obvious symptom of this is that
Google's internal codebase is organized like a flea market rather than a phone
book.

------
HenryBemis
People using Android should live with the notion that Google siphons
absolutely everything from their devices. One way is to block any application
is not needed to "speak to google" (or Facebook, or any advertisers).

I always use and suggest to other Android users the NoRoot Firewall [1], and
then disable/uninstall everything not needed. Of course that applied to IT
pros, as tweaking things without the appropriate knowledge may/will result to
a phone bricking/reset.

[1]:
[https://play.google.com/store/apps/details?id=app.greyshirts...](https://play.google.com/store/apps/details?id=app.greyshirts.firewall)

~~~
dvfjsdhgfv
There's no way you could brick the phone by using the NoRoot Firewall.

In general, my problem with these apps is that you shift your trust from one
company to another. I have no idea who created this app, what their motives
are, how securely they guard their signing key and so on.

~~~
gruez
There aren’t open source versions?

~~~
opencl
DNS66 and NetGuard are similar open source applications.

[https://github.com/julian-klode/dns66](https://github.com/julian-klode/dns66)

[https://github.com/M66B/NetGuard](https://github.com/M66B/NetGuard)

------
hi41
Wow! This is something ... getting evicirated by Amnesty International!

------
gregknicholson
Oh, I hope this is Google having their “Facebook moment”!

~~~
ColinWright
It is, it absolutely is. People will run around going "Google is horrible!
Google is terrible", and then ...

 _Nothing will change._

~~~
scarface74
What realistic choices do people have? I use iOS, but given the choice between
a decent Android phone like the Moto E that you can get for less than $150 and
a $650+ iPhone, I wouldn't advise most people to get an iPhone.

~~~
peatmoss
I prefer the Android experience, but switched back to iOS / iPhone a couple
years back precisely because I did ask myself how much Apple’s better-but-not-
robustly-verifiable privacy posture was. I decided that, over the life of a
phone, that was worth at least $500 and the associated lesser UX.

I don’t know that a smartphone has to cost $650, but I don’t think most US
corporations will sign up to deliver a $150 smartphone that doesn’t mine your
privacy.

~~~
crystaln
Same. I really want to switch to Android for various reasons but can't bring
myself to give up Apple's core respect for privacy.

~~~
kevin_thibedeau
LineageOS + MicroG is all you need to cut out Google and get enhanced, per-app
privacy controls.

~~~
crystaln
Sure. I'm not interested in spending my time hacking my phone tho, and I want
to use Google services. I want privacy by default.

Also I'm less concerned about Google having my data than my messages being
sent plaintext through carriers.

