How Google Allo Will Keep Your Messages Safe (and How it Won't)

At Google's annual developer conference, the company revealed a new pair of messaging apps called Duo and Allo, and took time to highlight the security features of both. But how secure will these services be in this age of mass surveillance?

Allo, Encryption
At Duo's unveiling, Google's representatives confirmed that the service will indeed be encrypted. But the text-messaging app Allo has many more security features. Messages, Google said, will be sent over encrypted channels. Users can also toggle into an Incognito mode for stricter, more secure messaging.

To build the encryption for Allo, Google had numerous options. There are several tried and true encryption protocols, or could have opted to create its own, as Telegram did. Instead, Google partnered with Whisper Systems, the creators of the open source Signal encryption protocol (formally Axolotl) and the Signal encrypted messaging app. This partnership not only brings excellent technology and expertise to Allo's encryption, but it's also a political statement. Whisper System has been quite open about its disdain for government spying, and its products have even been endorsed by popular fugitive-slash-folk hero Edward Snowden.

"We've been collaborating together on the integration of Signal Protocol into Allo, which will bring all of Signal Protocol's strong encryption properties to Allo's incognito mode," Whisper Systems wrote in a blog post.

This isn't the first time Whisper Systems has partnered with other companies to secure messages. In 2014, WhatsApp announced that messages would be encrypted with Whisper Systems technology; that transition was completed in 2016.

Whisper System technology will only be used when users switch into the stricter Incognito Mode, similar to how they do with Chrome. In this mode, messages are encrypted end-to-end, meaning that the message is encrypted on the user's device, sent over an encrypted channel, and then decrypted on the recipient's device. Incognito messages will also trigger more subtle notifications, so the casual observer won't be able to read too much.

For those playing along at home, this is similar to how Telegram handles messages. In Telegram, all messages are secured in transit, but Secret Messages can only be read by the intended recipient. This gets around the central problem of encrypted messaging systems. A message that is encrypted in such a way that it can't be read by the service provider can't be synced to multiple user devices. That's something most of us have come to expect with our messaging services.

Having two modes means that some of our messages can be synced between devices, and the ones that require more security won't. This also fits well with Allo's model of tying accounts to users' phone numbers. During the keynote, Allo's developers noted that like Incognito information in Chrome, Incognito discussions will be destroyed once the conversations are closed.

Conversations and Numbers
Both Allo and Duo will be tied to user's phone numbers. The phone number is a very important piece of information, because it's one of the very few verified personal identifiers. Think about it: in order to get a phone number, you need to have an account with a phone company, which in turn needs to verify your identity in order to bill you. You're billed every month, so that identity is then reverified. The proliferation of personal cell phones and the decline of landline phones makes the phone number even more specific, since most people don't have multiple phone lines coming into a single home.

Phone numbers instead of account names also allow Google to quickly verify a user. Normally, you're sent an email with a link you have to click. Phone number identification means the same thing can be done with a text messages. And some Android apps have gotten so good at this, they can authenticatication you via text message without you even knowing it's happened.

The security benefit to you is that you can be fairly certain that the person you're speaking to is who you believe them to be. Unless they've had their phone stolen, of course.

Whisper Systems also provides encrypted voice calls in its Android and iOS apps. However, it's not clear if Google is using the same technology in Duo. At the app's announcement and in later documentation, Google does make clear that Duo conversations are encrypted end-to-end. While encrypting video and voice has its own set of challenges, it is a live event between only two parties. Messages, for convenience, are synced between devices. But as long as the conversation is only between two people, as it is for Duo, end-to-end encryption is fairly straightforward.

Good Enough?
While Google's inclusion of trusted encryption and security features into a flagship product is a win for individual privacy and security, it hasn't pleased anyone. Christopher Soghoian, the Principal Technologist for the ACLU and an outspoken proponent of digital security and privacy did not mince words on Twitter.

iMessage, WhatsApp, Signal: End-to-end encryption turned on by default.
Telegram, Google Allo: Secure to server, e-2-e only via opt-in mode.

— Christopher Soghoian (@csoghoian) May 19, 2016

By making encryption opt in, Soghoian believes that Google is undermining security for Allo users. "By turning encryption off by default in Allo, Google has given the FBI exactly what the agency has been calling for," he said on Twitter and in an article for BuzzFeed. The problem, Soghoian believes, is that most users will simply never enable the most useful encryption.

Making crypto opt-in hurts users who know least about tech. Google led industry w default HTTPS. Allo is a step back https://t.co/dzSOXHbdPV

— Christopher Soghoian (@csoghoian) May 19, 2016

Speak to Me
Security is often portrayed as the enemy of ease and usability, and in the case of messaging this is at least partly true. Users want to have their messages everywhere, and easily available. For the most part, this is antithetical to how robust security and encryption works. It's quite possible—likely, even—that most people won't use the incognito mode, or even understand why it's different.

But I am thrilled to see Signal's involvement, and I do like that Google is even providing it as an option. And it's smart to couch it as an "Incognito" mode, something at least some users are familiar with from using Chrome and other modern browsers.

Of course, the real function behind Allo is to connect you with the Google assistant, the company's term for its ambient chatbot experience. In the Google I/O keynote, developers mentioned that Allo, and presumably the Google assistant, will only gather your information if you allow it to do so. We'll have to see how this implementation works, but make no mistake: while the Google assistant and its chatbot ilk are convenient and cool, they are designed to gather information and to make transactions seamless. Allo is our first gateway to this new paradigm for search, and for how user information will be gathered and used.