Hangouts is not as secure as Google would like us to believe. The company has finally admitted its messaging service doesn’t use end-to-end encryption, meaning Google itself can tap into its users’ conversations. The revelation comes in the wake of an AMA on Reddit, in which Google’s director for law enforcement and information security, Richard Salgado, and senior privacy counsel, David Lieber, answered questions about the state of government surveillance in the US.
Christopher Soghoian, from the American Civil Liberties Union, took the AMA as an opportunity to ask for clarification on Google Hangout’s encryption, on which the company has always been relatively secretive. “Why has Google refused to be transparent about its ability to provide wiretaps for Hangouts? Given Google’s rather impressive track record regarding surveillance transparency, the total secrecy regarding the company’s surveillance capabilities for this product is quite unusual.”
Salgado’s answer danced around the question, stating only that “Hangouts are encrypted in transit.” This didn’t exactly satisfy the community, and Google’s continued sketchiness about the encryption of Hangouts has led to many assuming the service is not fully secure. But in the wake of the AMA, Motherboard received confirmation from a Google spokesperson that Hangouts does not use end-to-end encryption. This means that, while there is encryption that stops third parties from tapping into conversations, the conversations are not protected from being read by Google itself, or from being given by Google to Government agencies. Even turning on the “off the record” feature does not prevent this, which makes the inclusion of the feature rather misleading.
In the wake of the Edward Snowden revelations, people have flocked to services that provide protection from government surveillance. The revelations made it clear that encryption that blocks third parties but not the host companies like Google or Apple is next to useless when it comes to preventing government surveillance, since the National Security Agency has been working in collaboration with all of the major tech companies to gather data on their users.
The revelations also led to many companies selling encrypted messaging services, some of which have been quite successful. Apple implemented end-to-end encryption on its iMessage and Facetime services and has used this as one of its selling points. Even though Apple was one of the companies Snowden revealed to be cooperating with the PRISM program, its claims that nobody but the sender or receiver could read iMessage conversations have been shown to be mostly true. (Apple can still read your messages if they want to. It’s complicated.)
The lesson here is that most of the major tech companies, particularly the ones Snowden has mentioned, can’t be trusted with data its users don’t want to be seen by Government eyes. The good news is that there are plenty of free and fully encrypted communication services to choose from. You just have to look them up. But not on Google.