Google Allo app for instant text-messaging has now gone live, across the world. The app is available on Android and iOS worldwide, and is being pitched as a potential challenger to WhatsApp, Facebook Messenger, Snapchat and others. But it seems Google Allo is already facing a privacy concern. Google Allo is not end-to-end encrypted by default, but the company had said at I/O that all messages are encrypted by default, and then deleted from its servers.
Now according to a report in The Verge, Google Allo will be storing all messages (in the non-incognito mode) by default on its servers. Earlier Google had indicated requests made to the Google Assistant will be stored only transiently, and eventually get deleted. However it seems the records will now remain and a user will have to actively delete these in the settings.
Google Allo messages will be encrypted between the device and Google servers, but make no mistake the company plans to store these messages. According to the Allo help page, Google is using this information to improve the Assistant experience.
“We’ll continue to improve the usefulness of the Google Assistant over time, and part of this is through learning from past activity with the Google Assistant,” says one of the support pages for Allo. Assistant is a machine-learning system and it will work better with more data over time, so Google needs to make sure it has all the information it needs. Unfortunately that also means user privacy around chats is affected.
Google Allo had faced privacy concerns earlier as well with NSA whistleblower Edward Snowden questioning why Google had not made Incognito as the default mode.
Interestingly after the May announcement, Google engineer Thai Duong wrote a blogpost on Allo’s security and said the AI chatbot will be able to read users messages in the default mode, and the messages are temporarily stored in Google’s servers.
His blogpost read at the time, “Allo clients talk to Google servers using QUIC or TLS 1.2. When messages are temporarily stored on our servers waiting for delivery they are also encrypted, and will be deleted as soon as they’re delivered.” Obviously this has now changed.
Interestingly the original post Duong had said he was an engineer “in charge of the end-to-end encryption feature”, but later edited the post to say that he had consulted on “security for Allo,” from the outside.
With Google storing messages from Allo, it will raise privacy issues for a lot of users. However the Duo, the video-calling version of the app is end-to-end encrypted. Also the Incognito mode in Allo is end-to-end encrypted, and messages have an expiration time that a user can set, after which it will get deleted.