Linked by Thom Holwerda on Thu 22nd Sep 2016 09:03 UTC
Google

Remember when Google said they wouldn't store messages in one of the company's new chat applications, Allo? Yeah, no.

The version of Allo rolling out today will store all non-incognito messages by default - a clear change from Google’s earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app. Users can also avoid the logging by using Allo’s Incognito Mode, which is still fully end-to-end encrypted and unchanged from the initial announcement.

Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google's algorithms.

For this reason alone, don't use Google Allo. But wait, there's more! There's also the backwards way it handles multiple devices and phone numbers - another reason to not use Google Allo. Sadly, even if you don't have Allo installed, you may still be forced to deal with it at some point because of some 'clever' tricks by Google Play Services on Android. If someone sends you an Allo message, but you don't have Allo installed, you'll get a special Android notification.

The notification lets you respond through text along (as opposed to stickers, photos or anything like that), or alternatively ignore it altogether. There's also a button taking you straight to the Play Store install page for Allo.

How can Google do this? The notification is generated by Google Play Services, which is installed on just about every Android phone, and updates silently in the background.

Don't use Google Allo.

Thread beginning with comment 634740
To read all comments associated with this story, please click here.
Forget about the law
by grahamtriggs on Thu 22nd Sep 2016 14:17 UTC
grahamtriggs
Member since:
2009-05-27

Interesting that everyone jumps to law enforcement, nefarious companies, etc. as the reason to not have their messages stored.

At that level, most people just need to get over themselves - what they say isn't that interesting, isn't that controversial, and isn't going to get them into trouble. Unless they've actually warranted it...

But, there is an issue with storing data - and that is around sensitivity. If the information is stored in the cloud, then it's a target for hackers. I don't care about the cops reading my texts - but when I text someone my address so that they can visit, etc. then maybe I am worried about criminals getting hold of some the information that I text.

Assuming that you trust Google to manage that security, most people would actually see benefits from having their information stored. Lose or break your phone? Want to switch from Android to iPhone, or back again? No problem - just get a device with All, and you haven't lost any of that information.

As ever, knee jerk reactions and hyperbole aren't useful, evaluate what products do and don't do, and use them (or not) appropriately.

Reply Score: 1

RE: Forget about the law
by cb88 on Thu 22nd Sep 2016 16:00 in reply to "Forget about the law"
cb88 Member since:
2009-04-23

The problem with storing conversations... is that if they can access it they can also fake it... if you ever do get important enough for anyone to care. Or on the off chance that someone with access decides to steamroll you because you made them mad etc...

Personally I think technologies like Tox are the answer... all the data is stored encrypted locally (if I want to back it up I can do that too but it's encrypted in the backup) Also most clients use the core library so... they are all on the same page interoperability wise similar to Telegram although I think they do this at the spec/API level.

Hopefully they add multi-device support soon to toxcore (its on the TODO but probably not before the end of the year unless someone coughs up the cash to get the ball rolling)

Reply Parent Score: 4

RE: Forget about the law
by Alfman on Thu 22nd Sep 2016 16:13 in reply to "Forget about the law"
Alfman Member since:
2011-01-28

grahamtriggs,

At that level, most people just need to get over themselves - what they say isn't that interesting, isn't that controversial, and isn't going to get them into trouble. Unless they've actually warranted it...

But, there is an issue with storing data - and that is around sensitivity. If the information is stored in the cloud, then it's a target for hackers. I don't care about the cops reading my texts - but when I text someone my address so that they can visit, etc. then maybe I am worried about criminals getting hold of some the information that I text.

...
As ever, knee jerk reactions and hyperbole aren't useful, evaluate what products do and don't do, and use them (or not) appropriately.


I don't know if it's fair to call it hyperbole though. Data collection is far more pervasive now than for previous generations. These days people can easily ruin their futures by doing things that people have always done, with the difference being that so much more of it is being recorded.

Heck, there are political things that are risky to talk about. For example, it could affect the residency status of green-card holders like myself just for having a negative opinion. This is all the more relevant because an openly nationalist bigot like Trump with no respect for civil rights or the law might well call on the NSA and secret courts to use our data against us in ways that are unexpected and even unlawful. And unfortunately it's not just the US, we don't have a good grasp on how our digital trails might be used in the future.

Now maybe you think it's exaggerated, but mark my words, if we take our privacy for granted, then we will loose it, and powerful people with an agenda will probably try to exploit it.

Edited 2016-09-22 16:13 UTC

Reply Parent Score: 4

RE: Forget about the law
by MysterMask on Thu 22nd Sep 2016 20:50 in reply to "Forget about the law"
MysterMask Member since:
2005-07-12

At that level, most people just need to get over themselves - what they say isn't that interesting


So why does Google use money and put effort into storing those messages?

Pretty naive to think things happen just because Larry found some old spare hard drives lying around at Google and used them for a fun holiday project out of boredom ..

Reply Parent Score: 2

RE[2]: Forget about the law
by Alfman on Thu 22nd Sep 2016 23:38 in reply to "RE: Forget about the law"
Alfman Member since:
2011-01-28

MysterMask,

Pretty naive to think things happen just because Larry found some old spare hard drives lying around at Google and used them for a fun holiday project out of boredom ..


Google corporate policy requires all user data to be kept whenever possible unless the project manager gets a signed exemption from the executives.

[/sarcasm]

Reply Parent Score: 2

RE: Forget about the law
by ilovebeer on Thu 22nd Sep 2016 23:51 in reply to "Forget about the law"
ilovebeer Member since:
2011-08-08

Interesting that everyone jumps to law enforcement, nefarious companies, etc. as the reason to not have their messages stored.

At that level, most people just need to get over themselves - what they say isn't that interesting, isn't that controversial, and isn't going to get them into trouble. Unless they've actually warranted it...

The issue isn't that people believe their conversations are `that interesting`, it's that people don't like to be spied on. People don't like everything they say and do to be recorded. It's not fear of being caught for illegal activities, it's simple principle and a right people are supposed to have under the fourth amendment.

We've reached a point where opinions are held against you - opinions that shouldn't be public to begin with and should certainly be protected by privacy. Opinions, not actions but opinions! The more information logging, the more people are abused by it over things they used to and shouldn't have to worry about.

We live in a world right now where you can't trust the apps you use, the OS your devices need to work, or even the hardware itself. It's actually worse than that because you don't even speak freely in the privacy of your own home. If your phone isn't recording, it's your tv. If it's not your tv, it's your........ Normal human beings tend to have a problem with that.

Reply Parent Score: 4

RE[2]: Forget about the law
by Alfman on Fri 23rd Sep 2016 00:42 in reply to "RE: Forget about the law"
Alfman Member since:
2011-01-28

ilovebeer,

We live in a world right now where you can't trust the apps you use, the OS your devices need to work, or even the hardware itself. It's actually worse than that because you don't even speak freely in the privacy of your own home. If your phone isn't recording, it's your tv. If it's not your tv, it's your........ Normal human beings tend to have a problem with that.


Just this week I came across this post (from a few months back) by a manager for Visual Studio. Apparently VS15 added proprietary tracking code to compiled binaries, which resulted in telemetry data for 3rd party apps getting transmitted to microsoft through one of it's telemetry channels. The post revealed that a new build of VS would be removing said feature, but the comments reveal just how shocking it was to developers that MS had added it their executables without their consent to begin with. It was uncovered by a developer debugging his own software.

Take note that the recommended fix is to add notelemetry.obj to your project to override the feature because VS15 was designed with no option to disable it.

https://www.reddit.com/r/cpp/comments/4ibauu/visual_studio_adding_te...
hi everyone. This is Steve Carroll, the dev manager for the Visual C++ team.

Tl;dr: thanks folks for the feedback. Our team will be removing this from our static libs in Update 3.

Our intent was benign – our desire was to build a framework that will help investigate performance problems and improve the quality of our optimizer should we get any reports of slowdowns or endemic perf problems in the field.

We apologize for raising the suspicion levels even further by not including the CRT source, this was just an oversight on our part. Despite that, some of you already investigated how this mechanism works in nice detail. As you have already called out, what the code does is trigger an ETW event which, when it’s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs) so this data is only applicable to customers that are actively seeking help from us and are willing to share these PDBs as part of their investigation. We haven’t actually gone through this full exercise with any customers to date though, and we are so far relying on our established approaches to investigate and address potential problems instead.

We plan to remove these events in Update 3. In the meantime, to remove this dependency in Update 2, you should add notelemetry.obj to your linker command line. If you’re generally concerned about phone-home scenarios, more information about how to configuring Windows 10 appropriately to your needs can be found here: https://technet.microsoft.com/en-us/itpro/windows/manage/configure-w...

Thanks.

Reply Parent Score: 2

RE: Forget about the law
by Morgan on Fri 23rd Sep 2016 00:51 in reply to "Forget about the law"
Morgan Member since:
2005-06-29

This is why I'm dumping Hangouts and FB messenger and going back to plain old SMS and email. Not iMessage either, but the 30+ year old texting and messaging technologies that were good enough for my parents, dammmit! If the three letter agencies are that concerned about what I text to my wife, my best friend, my mom, and my sister; well, let them look. They obviously have too much time on their hands.

If I ever do have something to say that I want to keep hidden I'll be sure to use a secure platform, even if that means a handwritten cypher passed via sneaker net. I simply can't think of a single thing I've said via third party or even first party messaging services that would be a security concern; I save that stuff for face to face conversations.

That said, I'm only speaking for myself. The world does need a better option, and I really hope someone, somewhere creates a truly secure end to end encrypted messaging protocol that is fully open source. There is Signal, but it only works on smartphones, and only those by Apple and Google (to function properly, the Chrome extension must connect to an Android device with Signal installed, which is bonkers). It's also not 100% open source, as the voice component is still proprietary[1]. We need something that is truly cross platform, that works with any Internet connection on any device, and is actually 100% open source. Anything less would be untrustworthy by default.

[1] http://news.softpedia.com/news/wire-drops-lawsuit-alleging-extortio...

Reply Parent Score: 2

RE[2]: Forget about the law
by darknexus on Fri 23rd Sep 2016 13:25 in reply to "RE: Forget about the law"
darknexus Member since:
2008-07-15

This is why I'm dumping Hangouts and FB messenger and going back to plain old SMS and email.

And that's supposed to help you... how? Carriers keep your SMS, and will share it at minimum with law enforcement. E-mail? Who, precisely, are the primary email providers? It doesn't matter one bit if you don't use them. It only matters that the people you email do. Same goes for your carrier: even if your carrier didn't log your SMS, your recipient's carrier probably does.
Tl;dr: Even if you are secure on your end, you can't guarantee the recipient is.

Reply Parent Score: 3

RE: Forget about the law
by kwan_e on Fri 23rd Sep 2016 13:35 in reply to "Forget about the law"
kwan_e Member since:
2007-02-18

what they say isn't that interesting, isn't that controversial, and isn't going to get them into trouble. Unless they've actually warranted it...
.
.
.
As ever, knee jerk reactions and hyperbole aren't useful, evaluate what products do and don't do, and use them (or not) appropriately.


https://www.theguardian.com/world/2013/aug/01/new-york-police-terror...

God help you if you had a brown sounding name, or if they decided to knock down your front door, you happened to be black at the time.

Reply Parent Score: 3