Google I/O occurred last week and of the many announcements made, a few stood out to me.
Google announced a new video chat app, a messaging app, and smart home appliance called Duo, Allo and Google Home respectively. All these products are due out this summer and promise to deliver outstanding AI-based features for users.
All of these products also promise to leverage everything Google already knows about you to deliver things you didn’t even know you wanted. But all of these products do not deliver end-to-end encryption, which is a huge business gamble for Google and its billion+ users.
At Google I/O, CEO Sundar Pichai made statements, such as:
“We believe the real test is whether humans can achieve a lot more with machine learning assisting them,” and “It’s not just enough to get them links, we really need to help them get things done,” and “We want users to have an ongoing, two-way dialogue with Google.”
While that sounds great to me, it also sends up red flags.
For years, security-minded folks have gravitated towards Apple’s iOS for its hands-off approach on personal data. Meanwhile, Google devices still function even when users are not logged in, as Google always sets the default to ON. Google’s marketing team probably hates this fact but its engineering team needs users to be constantly feeding their search engines, emails and chat sessions with private user data.
It’s how Google works but a little part of me always hoped they would offer a separate product line that was fully encrypted and private from prying eyes, including Google’s. It would seem that now there is no turning back to full encryption.
No Turning Back To Encryption
Google’s announcement that the future is AI signaled an obvious move in the same direction it was already heading with little chance of turning back. Digging through billions of user’s metadata and conversation content requires hefty processing power. Google offloads this data to the cloud where it is processed and sent back to the user’s phones as answers to queries or commands.
Google sends and receives this data using software but not hardware encryption. Of course, everything is software encrypted so that it cannot be easily intercepted. However, Google does have the key to all of this encryption, giving it the ability to share, sell or hand over your data at any time as they see fit, according to their EULA.
That puts all user data in a more vulnerable state than Apple’s iOS data, for example. Apple can’t share user data on iOS devices even if they wanted to.
Google’s decision to disable end-to-end encryption by default in its new #Allo chat app is dangerous, and makes it unsafe. Avoid it for now.
— Edward Snowden (@Snowden) May 19, 2016
Google’s Allo is a WhatsApp competitor. Duo, Google’s answer to FaceTime, is an Apple competitor. And Google Home is a direct competitor to Amazon’s Echo. While Amazon’s Echo has no known security holes, it’s far less worrisome than the security potential of something like a Google Home. But the fear of a device that is always on and listening isn’t going to go away anytime soon for many users.
Remember Samsung TVs always listening? That didn’t go too well to ease consumer concerns over privacy. Google’s data mining ability overshadows all of these products, so the threat potential is only growing.
Insecure By Default
Since Google insists on turning off end-to-end encryption by default, the majority of their users could be unknowingly or even unwillingly sharing all that data with Google, potential hackers, foreign governments or even our own government. This isn’t a big brother scare tactic. We’ve recently seen the FBI and Senate lobbying to gain access to any encrypted data they want, so it’s no stretch to imagine them going after unencrypted data even harder.
Google engineer, Thai Duong, recently published a blog explaining his desire for end-to-end encryption to be ON by default. Since this posting, the blog and his response to user comments have been edited to clarify.
In the end, this is about Google’s business model always outshining their privacy policies. And so long as they continue to mine data for services, their business model will always win out over our privacy concerns.
Google, the 2nd most valuable company in the world, is gambling on its services to win out over the real and perceived privacy, as well as security hazards ahead. Some may want them to win but not at our expense.
About the Author: Scott Schober (@ScottBVS) has lectured and presented extensively regarding cybersecurity and corporate espionage at numerous conferences around the globe. He has recently overseen the development of several cell phone detection tools used to enforce a “no cell phone policy” in correctional, law enforcement and secured government facilities. He is regularly interviewed for leading national publications and major network television stations, including Fox, Bloomberg, Good Morning America, CNN, CCTV, CNBC and MSNBC. He is the author of “Hacked Again” and writes, “In a modern digital world no one is safe from being hacked, not even a renown cybersecurity expert.”
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.