Google Trades Privacy and Security for “Hangouts”

We recently wrote about the conspicuous lack of privacy discussion at Google’s recent I/O Conference in San Francisco. While it’s true that there wasn’t much talk of privacy at the event, Google’s actions may have spoken louder than its lack of words when it became clear that the company would be rolling out a new instant messaging platform to replace its long-standing “Talk” app.


As highlighted by our activist friends at the Electronic Frontier Foundation, Google’s understandable move from the somewhat dated “Talk” to its new “Hangouts” platform has two consequences: one has to do with the extensible messaging and presence protocol (XMPP), an open-source communication tool that benefited from Google’s support, which the company will scale back dramatically as it implements it’s new messaging service.

XMPP meant that users could communicate across platforms, using Talk to send messages to users on AOL’s Instant Messenger and any number of other chat providers. It also meant that Talk’s open-source framework supported ‘Off-the-Record’ (OTR) encryption, not to be confused with Google’s off the record feature, which I will explain shortly. Hangouts will not support either of these functionalities.

The second and seemingly more relevant (but actually less impactful) consequence is that within the new Hangouts platform, users will no longer have the option of “going off the record” for all of their chats. “Going off the record” means just what you think it means: turning the feature on makes it so that your communications aren’t archived by Google in your chat history. Users can still go off the record, but only on a contact-to-contact basis.

Per Google’s explanation:

“We’ve made a change to the Google Chat and Google Talk chat history settings. You can turn individual chats off the record, but you’ll no longer have the option to turn chat history off for all of your chats.”

Google is trading the user security and privacy offered by their open-source Talk platform for their new Hangouts platform, which will be a flashier, more competitive and seamless way for the company to tie together its previously discordant applications.

So what, right? This change represents little more than a slight inconvenience and our reaction embodies our collective propensity toward fake online outrage, right? Sort of, but the discontinuation of XMPP has a more serious consequence upon closer consideration.

As the EFF’s Parker Higgins notes, privacy-conscious users that want to use OTR encryption will not be able to do so. The slight irony is that OTR encryption is a cryptographic communications protocol and a term that Google has misused egregiously. To Google, off the record has merely meant that conversations aren’t archived and has nothing to do with encryption. In reality, OTR is a “critical component of secure online communication.” When two users are using OTR, no one except them has access to the contents of their communications, including their service provider. The old XMPP framework allowed for users to host their own chat servers, allowing them to use OTR encryption and communicate with Google users. That has changed.

“Users are given only the choice to use Google’s chat servers or to cut themselves off from people who do,” writes Higgins. “Worse, Google users aren’t presented with any notice about the change: their buddies who use, or any number of other XMPP servers, will simply not appear as available for chat.”

The point here is that no official Google application supports OTR, but users could get around that because of the openness of the XMPP framework. In other words, Google is trading the user security and privacy offered by their open-source Talk platform for their new Hangouts platform, which will be a flashier, more competitive and seamless way for the company to tie together its previously discordant applications, like G-Chat, Google Voice, and Google+ Hangouts (not to be confused with the new platform of the same name).

The vast majority of us will probably be disappointed with Google, a company that has generally done good for user data privacy and security, but ultimately, we’ll sigh and move into the new platform despite the privacy hit. For those that really require a secure chat app, we compiled a list of good ones media outlets started suggesting that Skype may be susceptible to government surveillance.

In all fairness, Talk was great eight years ago when computer to computer instant messaging was the name of the game. In fact, talk was revolutionary in the way it let users chat across platforms. Now however, forever-connected and social mobile messaging between disparate devices and operating systems like What’s App and BlackBerry and Facebook’s chat services have emerged as the new need, and may in fact end up replacing SMS-based text messages as well as the old chat.

The Verge published an excellent exclusive detailing the new Hangouts platform and explaining exactly how it came to be that Google, which seemed to have all the necessary parts, had fallen so far behind on mobile messaging. It’s definitely worth reading.

Send to Kindle

2 thoughts on “Google Trades Privacy and Security for “Hangouts”

  1. On what planet has Google ever given the remotest inkling that they were concerned in even a microscopic way about privacy?

    They published my feeds — without my consent — to the public Internet.

    They published my contacts — without my consent — to the public Internet.

    They send cookies on their CDN, set by other Google properties.

    They collected photos, GPS information, and wireless SSID lists.

    They got caught, so they went to collecting SSID lists (SSID fingerprints for a location) and GPS locations on Android.

    They’re promising no facial recognition on Glass — that’s great, except the photos upload automatically to Google Minus and Facebook, and both those services have facial recognition. So Google Glass won’t do it, but the server on which the videos, photos are being placed will.

    Do you know why they’re doing this?

    Google Talk conversations can’t be fully monitored. What Google wants to do is to route everything through their servers, period. That’s what Chrome is for. It’s what the toolbar has done since it’s very inception. They want to know everything you’re doing on the Internet, and they want to be involved to do w/e.

    Google Talk negotiates a direct peer-to-peer connection for video chat, for voice chat using Jingle. Google Hangout, on the other hand, routes everything to a server under Google’s control. They can see everything, and they can transcribe it — just like they do on Youtube.

    And that’s what this is all about, collecting more information that they can use to drive ads, pure and simple.

    But saying they give a damn about privacy, that’s a pretty bold and — likely — unsupportable statement.

  2. Other then Gmail I never sign up for anything else Google has to offer. Its as confusing to use as Facebook and privacy settings are obviously set not in favor of protecting privacy. I just choose to stop having people I don’t know sift through my information. I am not paranoid in the least. I think if you want to use Hangouts, Google + or any other social focused app. Then be my guest. Its not that they are not useful, I just think the lack of security defaults is concerning and trying to change those settings is too confusing.

Leave a Reply

Your email address will not be published. Required fields are marked *