Google chat app Allo boasts strong encryption — if you turn it on

Google engineering director Erik Kay talks about the new Allo messaging app at the Google I/O conference last week.
Google engineering director Erik Kay talks about the new Allo messaging app at the Google I/O conference last week.
(Eric Risberg / Associated Press)

Google has announced a new messaging app with strong encryption, meaning that your communications can’t be wiretapped. But there’s a catch: You have to turn on that feature yourself.

The tech titan’s plan to launch Allo this summer without encryption by default has drawn withering criticism from some quarters.

“Google’s decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe,” Edward Snowden tweeted. “Avoid it for now.”


But other privacy advocates are more positive.

“I, too, would prefer that Allo be encrypted by default,” said Kevin Bankston, director of New America’s Open Technology Institute. But, he added, “all in all, this is going to be a net increase in the amount of encrypted messaging out in the world. And that is ultimately a good thing.”

With Allo’s debut, Google is taking a step toward joining the growing number of tech firms embracing “end-to-end” encryption, which protects the privacy of text messages and voice and video calls in such a way that even with a warrant, the government can’t access them. But by requiring users to turn on the feature, Google is lowering the odds that average users will avail themselves of the option, critics such as Snowden say.

Apple’s iMessage launched in 2011 with strong default encryption. WhatsApp, Facebook’s messaging app, last month announced it had full, end-to-end encryption by default on all platforms -- including Android, iPhone and BlackBerry. Apple also launched its video call FaceTime feature in 2010 with default strong encryption. That means that even when served with a warrant, these firms cannot provide law enforcement access to WhatsApp and iMessage chats.

FBI Director James B. Comey has endorsed the benefits of encryption. “I love strong encryption,” he said in a speech last month. But, he said, “what’s changed in the last few years is that it’s now become the default, covering wide swaths of our lives and covering wide swaths of law enforcement’s responsibilities.” He has called for a balancing of privacy and public safety needs in which firms maintain a way -- usually with a key -- to get the government access to the communications it seeks.

So Google’s move on balance is welcome, said one law enforcement official, who, unauthorized to speak about the issue on the record, spoke on the condition of anonymity. “Having this as an opt-in feature is certainly useful to us.”

Google designed Allo without default encryption to make it easier to mesh the chat app with Google Assistant, a new conversation bot that can hold natural-sounding discussions with users, a Google spokesman said. It’s a competitor to Apple’s Siri, Amazon’s Alexa and the many bots created for Facebook’s Messenger app. Assistant is designed to tap into Google’s wealth of data about users to provide tailored recommendations, such as the best movies to see or the quickest route to the theater.


Because Google may need to run queries made of Assistant on its own servers, the official said, it’s not feasible to offer end-to-end encryption by default. Users who opt to use the encrypted Incognito mode may thus lack some Assistant features, he said.

Some tech experts said it is possible to combine strong encryption with the artificial intelligence bot feature. “There’s always a way,” said Morey Haber, vice president of technology at the cybersecurity firm BeyondTrust. Smartphones, for example, could do some of the processing on the device. But, he said, it would be difficult to fully process queries to Assistant without the power of Google’s remote servers, which would need to see the unencrypted queries. “I don’t think the technology is there yet,” Haber said.

The company said that even the standard chat mode conforms with standard encryption practices; messages between Google and users will be encrypted, but the Google Assistant system will have access to what users are sending.

Still, the company’s decision to forgo default encryption has raised questions -- even internally.

A Google engineer wrote in a personal blog post Thursday obliquely criticized the lack of default encryption. “If incognito mode with end-to-end encryption ... is so useful, why isn’t it the default in Allo?” Thai Duong wrote. He also said he would push for “a setting where users can opt out of cleartext [unencrypted] messaging.” Both lines were quietly removed later that evening from his post, with Duong adding a note that he erased a paragraph “because it’s not cool to publicly discuss or to speculate the intent or future plans for the features of my employer’s products.”

Google declined to comment on whether it pressured Duong to edit his post.

Christopher Soghoian, American Civil Liberties Union principal technologist, said by making the encryption feature an opt-in, “Google gets the maximum press value out of the encryption tech while guaranteeing that it is used by as few people as possible.”


Google, he said, “has given the FBI exactly what top officials have been asking for.”

Bankston said the opt-in will depend on how easy the firm makes it to do so. “That,” he said, “will turn a lot on the design.”

Ellen Nakashima is a national security reporter for the Washington Post. Hayley Tsukayama covers consumer technology for the Washington Post.