June 3, 2013

Google Trades Privacy and Security for “Hangouts”

Security

We recently wrote about the conspicuous lack of privacy discussion at Google’s recent I/O Conference in San Francisco. While it’s true that there wasn’t much talk of privacy at the event, Google’s actions may have spoken louder than its lack of words when it became clear that the company would be rolling out a new instant messaging platform to replace its long-standing “Talk” app.

hangouts_title

As highlighted by our activist friends at the Electronic Frontier Foundation, Google’s understandable move from the somewhat dated “Talk” to its new “Hangouts” platform has two consequences: one has to do with the extensible messaging and presence protocol (XMPP), an open-source communication tool that benefited from Google’s support, which the company will scale back dramatically as it implements it’s new messaging service.

XMPP meant that users could communicate across platforms, using Talk to send messages to users on AOL’s Instant Messenger and any number of other chat providers. It also meant that Talk’s open-source framework supported ‘Off-the-Record’ (OTR) encryption, not to be confused with Google’s off the record feature, which I will explain shortly. Hangouts will not support either of these functionalities.

The second and seemingly more relevant (but actually less impactful) consequence is that within the new Hangouts platform, users will no longer have the option of “going off the record” for all of their chats. “Going off the record” means just what you think it means: turning the feature on makes it so that your communications aren’t archived by Google in your chat history. Users can still go off the record, but only on a contact-to-contact basis.

Per Google’s explanation:

“We’ve made a change to the Google Chat and Google Talk chat history settings. You can turn individual chats off the record, but you’ll no longer have the option to turn chat history off for all of your chats.”

Google is trading the user security and privacy offered by their open-source Talk platform for their new Hangouts platform, which will be a flashier, more competitive and seamless way for the company to tie together its previously discordant applications.

So what, right? This change represents little more than a slight inconvenience and our reaction embodies our collective propensity toward fake online outrage, right? Sort of, but the discontinuation of XMPP has a more serious consequence upon closer consideration.

As the EFF’s Parker Higgins notes, privacy-conscious users that want to use OTR encryption will not be able to do so. The slight irony is that OTR encryption is a cryptographic communications protocol and a term that Google has misused egregiously. To Google, off the record has merely meant that conversations aren’t archived and has nothing to do with encryption. In reality, OTR is a “critical component of secure online communication.” When two users are using OTR, no one except them has access to the contents of their communications, including their service provider. The old XMPP framework allowed for users to host their own chat servers, allowing them to use OTR encryption and communicate with Google users. That has changed.

“Users are given only the choice to use Google’s chat servers or to cut themselves off from people who do,” writes Higgins. “Worse, Google users aren’t presented with any notice about the change: their buddies who use jabber.org, member.fsf.org or any number of other XMPP servers, will simply not appear as available for chat.”

The point here is that no official Google application supports OTR, but users could get around that because of the openness of the XMPP framework. In other words, Google is trading the user security and privacy offered by their open-source Talk platform for their new Hangouts platform, which will be a flashier, more competitive and seamless way for the company to tie together its previously discordant applications, like G-Chat, Google Voice, and Google+ Hangouts (not to be confused with the new platform of the same name).

The vast majority of us will probably be disappointed with Google, a company that has generally done good for user data privacy and security, but ultimately, we’ll sigh and move into the new platform despite the privacy hit. For those that really require a secure chat app, we compiled a list of good ones media outlets started suggesting that Skype may be susceptible to government surveillance.

In all fairness, Talk was great eight years ago when computer to computer instant messaging was the name of the game. In fact, talk was revolutionary in the way it let users chat across platforms. Now however, forever-connected and social mobile messaging between disparate devices and operating systems like What’s App and BlackBerry and Facebook’s chat services have emerged as the new need, and may in fact end up replacing SMS-based text messages as well as the old chat.

The Verge published an excellent exclusive detailing the new Hangouts platform and explaining exactly how it came to be that Google, which seemed to have all the necessary parts, had fallen so far behind on mobile messaging. It’s definitely worth reading.