At their respective yearly developer conferences, Apple and Google both announced changes to their messaging platforms that compete with Facebook Messenger and Snapchat. All of these services now have features like stickers, photo editing, wacky themes, zany message styles, and other fun features. Under this glossy veneer of oversized emoji lies some serious privacy considerations, however. The security risks of Messenger and Snapchat are well–documented, but given that Google have announced a new app, it warrants further investigation.

Consider that Google makes money when you engage with an advertisement. In order to increase their chances of you doing this they develop free services like Gmail and Search. They take this opportunity to serve you those targeted ads, but also to collect metrics on your behavior, which in turn improves targeting. I suspect that the reason that Allo is not encrypted by default is that Google is analyzing your messages to further build out a profile on you, determine what type of ads you’re likely to click on, and serve them to you from the highest bidder. This profile will include products your considering buying, health conditions you mention, plans you have for the future, and more. Google “knows” these facts about you and uses that knowledge to sell advertisements. This would not be possible if the messages were encrypted end-to-end, because only the sender and receiver would have the digital keys required to see the contents of the messages.

If it were the government or someone you knew that intercepted your communications to pry into your business or secrets, it’d be rightly called unwarranted surveillance or just plain creepy. Consider that the analog equivalent of this behavior may be, say, reading your post-office delivered mail, which is a federal crime finable of up to $5,000 and punishable up to 5 years in jail. The turn of phrase at the start of this paragraph, to “pry into the business or secrets of another”, is exactly the wording of federal law 18 U.S. Code § 1702, and yet it seems that this is exactly what technology companies have convinced their users to be complacent with. There will be some that respond to this with, “I have nothing to hide.” Perhaps this is the case for some that make this claim, but if asked, I doubt most people would allow anyone to download their search history in full, forward all of their emails to somebody, or have their recent text messages read aloud in a public place (even if it was done anonymously, I suspect). Further, the mere existence of an incognito mode in Allo admits that there are messages that users do not want to share with Google and be profiled for.

This is a concession, a compromise. It’s because Google, like Facebook, realizes that consumers are wising up about the importance of privacy, and they are attempting to appeal to them. But it’s not a compromise that you have to make considering competing end-to-end encrypted chat services like WhatsApp or iMessage. A much stronger rebuttal to my claim that Allo is surveillance and creepy is that Google’s server do not in fact store the chat logs (it does, however, “read” them). Among other reasons, storing these messages is a liability they must manage with law enforcement agencies (remember Apple vs. the FBI?). As evidence of this, here’s Dieter Bohn from the Verge interviewing Google executives on the launch of Allo:

[Messages sent with Allo] are read by Google’s servers, but Kay assures me that the data is stored “transiently,” which is to say that Google doesn’t keep your chat logs around to be subpoenaed. And Fulay adds that Google doesn’t assign identity to the chat logs on those servers even then.

On storing messages “transiently”, this is not re-assuring. To re-use the previous metaphor: it’s akin to someone reading all of your mail, storing copious notes on the contents, and referring to those notes later to take guesses at your future behavior. Considering that in that period of time the message are stored on Google’s servers, they are run through the world’s most sophisticated machine learning algorithms to glean information from them. The reason they don’t store them is not to protect your privacy, it’s because they’re finished harvesting information from the message. And with regards to Google “not assigning identity ” to messages, the process of “de-anonmyizing” data has been well-documented at MIT and the Universitè Catholique de Louvain. The way it works is cross-referencing “anonymous” data with publicly available or leaked information. Not only that, but the data isn’t much use to Google unless they can use it to target ads to individuals, which makes me skeptical of this claim. Perhaps Google today is secure, both from external hackers and internal leakers, but there’s no guarantee that this will always be the case. Quite the contrary, the recent purchase of LinkedIn by Microsoft and LinkedIn’s frequent leaks show that your data can end up in different hands than you anticipated (though the terms of service users “agreed” to allows it).

The trade-offs involved with using Google’s Allo messaging service are not worth the value they provide. In particular, Allo’s off-by-default end-to-end encryption policy makes it inconvenient to secure your conversations, Google’s motives to profit is opposed to their user’s best interests, and the engineering countermeasures to limit the scope of this are at least unknown, perhaps superficial, and definitely not required considering the competition. However, there are number of really great ideas in Allo that are very popular amongst users of trendier messenger apps like WhatsApp, WeChat, and Facebook Messenger. (For the record, WhatsApp is end-to-end encrypted by default, it doesn’t seem to like WeChat even uses over-the-wire encryption, and Facebook stores all of your messages.) If you’re an Android user, stick with another chat service that encrypts by default like WhatsApp or Signal. If you’re an iOS user, many of the features from Allo were announced to be coming to iMessage, which is encrypted end-to-end, in the Fall.