
Google backs off on previously announced Allo privacy feature - Aissen
http://www.theverge.com/2016/9/21/12994362/allo-privacy-message-logs-google
======
retox
>Allo messages will still be encrypted between the device and Google servers,
and stored on servers using encryption that leaves the messages accessible to
Google’s algorithms.

'using encryption that leaves the messages accessible to Google’s algorithms'
So, not meaningfully encrypted at all then?

~~~
nevir
Probably stored under the same security infrastructure as Gmail and hangouts
messages.

Which, IIRC, means no human is given direct access without the account
holder's permission. Algorithms are allowed access, but only if they emit data
that is similarly secured, or emits data in aggregate (where, I think,
aggregate was defined as 100k+ users per aggregate data point)

It's _extremely hard_ for a Googler or product team to do something directly
nefarious, but you do have to trust Google's privacy infrastructure.

~~~
jtrip
I don't think that is enough. Here we are relying on Google being magnanimous
enough to not use the data to increase their profitability. And even beyond
that, your opinion is a little naive to hold in a post-snowden world.

~~~
witty_username
How is it necessarily wrong if Google uses the data to increase their
profitability?

------
rryan
This seems to be where the "backing off" claim is coming from:

[http://www.theverge.com/2016/5/18/11699122/google-allo-
messa...](http://www.theverge.com/2016/5/18/11699122/google-allo-messaging-
app-announced-io-2016)

> First, all conversations are encrypted "on the wire," which means that
> nobody on the internet can read them as you send your message. They are read
> by Google's servers, but Kay assures me that the data is stored
> "transiently," which is to say that Google doesn't keep your chat logs
> around to be subpoenaed. And Fulay adds that Google doesn't assign identity
> to the chat logs on those servers even then.

I think this is a misunderstanding -- either on the part of the authors or
from the Google employees on understanding the question asked by the authors.

Kay probably meant that in Incognito mode, messages are stored transiently. I
don't believe that has changed, has it?

Did Google really say that non-Incognito messages would not be stored server-
side? What happens if you lose your phone -- do you lose all your Allo chat
history? That would be a really shitty user experience.

~~~
blowski
I lost all my WhatsApp chat history after a phone upgrade went wrong, and it
didn't cause me any problems at all. I recognise that my use case is not the
same as everyone's, but if I want to save something from WhatsApp, I put it
somewhere else.

~~~
zeveb
Yeah, and I normally don't bother to copy over my SMSes. I _can_ , and I
appreciate that, but they're really so ephemeral that it's not worth the
bother.

------
Odenwaelder
Who needs yet another messaging app? Aren't the 10 I have installed enough
already?

~~~
kbart
Don't worry, running by Google, it won't stay around long./s

------
karmajunkie
Was anybody actually planning to use Allo for encrypted communications? I was
under the impression it was written off at its announcement.

~~~
kyrra
Why was it written off? It's using Whisper Systems tech to do it's end-to-end
encryption[0]. Is there someway Google could inject itself into this, or some
reason people shouldn't trust it?

[0]
[https://whispersystems.org/blog/allo/](https://whispersystems.org/blog/allo/)

~~~
pritambaral
There is always a way to inject malicious code in a codebase you control. The
Allo apps are closed-source and their code is solely controlled by Google.
Doesn't matter which protocols they _claim_ to be using, when they could
simply push an update which silently uploads your private keys to their server
(or breaks the _claim_ in any of the many different ways).

This is the same reason even WhatsApp's use of 'end-to-end encryption' cannot
be considered secure from WhatsApp.

~~~
bagacrap
so, do you write your own compiler as well?

~~~
WallowC_33
Repost

------
joosters
These privacy articles make a big deal about law enforcement being able to
access messages. Surely a much bigger concern is Google being able to access
the content?

~~~
NetStrikeForce
One implies the other.

~~~
tombrossman
A fair percentage of people (myself included) are far more concerned about
protecting our data from marketers, advertisers, and data brokers, than we are
about going 100% 'tinfoil hat' mode and worrying whether the NSA is monitoring
my messages for thought crimes. These are two very distinct issues and not
everyone is concerned about both equally.

~~~
alanwatts
Dr. King was monitored by the NSA for "thought crimes". Is that "100% tinfoil
hat mode"?

[https://en.wikipedia.org/wiki/Martin_Luther_King_Jr.#NSA_mon...](https://en.wikipedia.org/wiki/Martin_Luther_King_Jr.#NSA_monitoring_of_King.27s_communications)

~~~
tombrossman
> Dr. King was monitored by the NSA for "thought crimes". Is that "100%
> tinfoil hat mode"?

Probably 'yes' for you, 'no' for him.

Sorry, but a random HN commenter is extremely unlikely to be targeted for the
level of surveillance and treachery that Dr King was. If he feared it, he had
good reason. If you are some random IT worker building the next smart pillow
you cannot expect them to prioritize spying on you, that's all I'm saying.
Mass surveillance isn't the same as targeted.

~~~
nzp
Actually, I'd say a random HN commenter is extremely _likely_ to be targeted
for surveillance and exploitation compared to general population at least. Not
because they personally are important, but because of their jobs. So many
administrators, programmers, etc. with access to relevant data.

~~~
NetStrikeForce
Yes, I almost mentioned the Belgacom sysadmins in one of my responses.

How many people here work for Google, Facebook, Apple, etc? What if you could
compromise their workstations and get privileged access to the backend of
social networks, email systems, etc? We are being actively hunted and there's
evidence of that.

~~~
nzp
Some years ago FreeBSD had an intrusion via one of the commiter's machine or
stolen SSH key, I don't remember which any more, but I do remember that it
took months for the package building infrastructure to get fully operational
again. I think they never got to the bottom of that (who did it or why). Linux
had a very similar incident if I'm not mistaken.

It's such a standard and effective method in human intelligence, that it's
extremely naive to think an analogue wouldn't be used extensively in signals
intelligence too.

------
nxzero
Here's Moxie's related press release on doing E2E for Allo:
[https://whispersystems.org/blog/allo/](https://whispersystems.org/blog/allo/)

Curious if he'll comment on what happened:

[https://twitter.com/moxie](https://twitter.com/moxie)

[https://news.ycombinator.com/threads?id=moxie](https://news.ycombinator.com/threads?id=moxie)

___

If you don't know about Moxie, highly suggest learning more about him:

[https://thoughtcrime.org/](https://thoughtcrime.org/)

[https://en.m.wikipedia.org/wiki/Thoughtcrime](https://en.m.wikipedia.org/wiki/Thoughtcrime)

[https://en.m.wikipedia.org/wiki/Moxie_Marlinspike](https://en.m.wikipedia.org/wiki/Moxie_Marlinspike)

~~~
eps
The best new friend of Facebook Moxie?

His "trust us, we checked FB Messenger code and it's all good" pitch made for
a very entertaining read.

~~~
hydragit
Yes, moxie "knows it all" wants to control his apps so much he doesn't want
them to be on f-droid [https://f-droid.org/posts/security-notice-
textsecure/](https://f-droid.org/posts/security-notice-textsecure/)

~~~
nxzero
Do you feel f-droid's build security should be trusted, an if so, why?

>> ""F-Droid has received criticism for distributing out-of-date versions of
official applications and for its approach to application signing."

[https://en.m.wikipedia.org/wiki/F-Droid](https://en.m.wikipedia.org/wiki/F-Droid)

~~~
CaptSpify
> F-Droid has received criticism for distributing out-of-date versions of
> official applications

Thats not a bug, it's a feature

------
romanovcode
First thing I thought when saw the release of this app is that it will record
everything I do because it's google.

Thanks but no thanks, google. Stay evil.

~~~
vbcr
_> Stay evil._

Wow. Google went a full 180 from being a company that promoted itself by
saying "Don't be evil" to something evil. Couldn't Google have made its
billions still being not evil, without its privacy issues, without its
obnoxious desire for tracking everything. Did they turn to this evil for the
money or just because they can do it (or if not someone else will).

~~~
romanovcode
>Couldn't Google have made its billions still being not evil

No. Google is advertising company and advertisement companies need a lot of
user data for targeted ads.

~~~
tanqueray
How does it benefit by keeping data forever though? Of what use is aged data?

~~~
hiddenkrypt
It doesn't. They need a constant stream of new data for their business model
to work. Thus, they benefit from continuously collecting data on users.

~~~
tanqueray
So why do they store indefinitely? If they stated a retention period openly
they'd get much less criticism over privacy.

~~~
yellow_postit
I'd assume for machine learning developments, specifically as training data
and back testing. Build a new model with 3x the data you had before or be able
to retrospectively see how a model would have performed over 3 years rather
than 1.

------
losvedir
Was it really expected in the first place that the ordinary messages don't get
saved on Google's servers? As someone with a passive interest in Allo but who
hasn't been following it closely, I never assumed the "smart AI" messages were
anything other than simple hangouts-type messages that get stored on Google's
servers. I'd even expect (/hope) them to be someday accessible on the web or
transferable to a new phone.

It's the incognito that are end-to-end encrypted and I expect are secure from
Google's prying eyes. And I don't think anything has changed there.

This is a non-issue for me, anyway.

------
JustUhThought
And just yesterday someone on HN didn't understand why the recent Google
messaging apps weren't being more widely adopted.

It's clear the public wants some assurances around privacy, or at least
transparency where it is lacking. Not to mention, this is the umpteenth
product they are planning to deprecate, uh, I meant launch (Grand Central,
Voice, Wave, Talk, Hang Outs, etc).

------
JohnLeTigre
Wow, they could generate stylometric profiles and sell that for mega-bucks.

Kind of creepy I say.

------
slantedview
You either want encryption, security and privacy or you want other things like
history. Allo choosing the latter makes it useless for anyone who really cares
about security or privacy.

~~~
wybiral
There's no reason that the history couldn't be encrypted in a way that's only
accessible to the client. There are even techniques for encrypted indexing and
keyword search.

