Google’s Big Encryption Gamble
Of the many recent Google I/O announcements made, a few stood out to this cybersecurity expert. Google announced a new video chat app, a messaging app, and smart home appliance called Duo, Allo and Google Home respectively. All these products are due out this summer and promise to deliver outstanding AI-based features for users. All of these products also promise to leverage everything Google already knows about you to deliver things you didn’t even know you wanted. But all of these products do not deliver end-to-end encryption. That is a huge business gamble for Google and also a gamble for its billion+ users.
Google, the 2nd most valuable company in the world, is gambling on their services to win out over the both real and perceived privacy and security hazards ahead.
At Google I/O, CEO, Sundar Pichai made statements such as “We believe the real test is whether humans can achieve a lot more with machine learning assisting them,” and “It’s not just enough to get them links, we really need to help them get things done,” and “We want users to have an ongoing, two-way dialogue with Google.” While that sounds great to me, it also sends up red flags.
For years, security-minded folks have gravitated towards Apple’s iOS for its hands-off approach on personal data. Google devices still function even when users are not logged into Google, but Google always sets the default to ON. Google’s marketing team probably hates this fact but their engineering team needs users to be constantly feeding their search engines, emails and chat sessions with private user data. It’s how Google works but a little part of me always hoped they would offer a separate product line that was fully encrypted and private from prying eyes, including Google’s. It would seem that now there is no turning back to full encryption.
No Turning Back To Encryption
Google’s announcement that the future is AI signaled an obvious move in same direction they were already heading with little chance of turning back. Digging through billions of user metadata and conversation content requires hefty processing power. Google offloads this data to the cloud where it is processed and sent back to the user’s phones as answers to queries or commands. Google sends/receives this data using software but not hardware encryption. Of course everything is software encrypted so that it cannot be easily intercepted but Google has the key to all of this encryption so they can share, sell or hand over your data at any time as they see fit according to their EULA. That puts all user data in a more vulnerable state than Apple’s iOS data for example. Apple can’t share user data on iOS devices even if they wanted to.
Google’s Allo is a WhatsApp competitor. Duo, Google’s answer to FaceTime is an Apple competitor. And Google Home is a direct competitor to Amazon’s Echo. While Amazon’s Echo has no known security holes, it’s far less worrisome than the security potential of something like a Google Home. But the fear of a device that is always on and listening isn’t going to go away anytime soon for many users. Remember Samsung TVs always listening? That didn’t go too well to ease consumer concerns over privacy. Google’s data mining ability overshadows all of these products so the threat potential is only growing.
Insecure By Default
Since Google insists on turning off end-to-end encryption by default, the majority of their users could be unknowingly or even unwillingly sharing all that data with Google, potential hackers, foreign governments or even our own government. This isn’t a big brother scare tactic. We’ve recently seen the FBI and Senate lobbying to gain access to any encrypted data they want so it’s no stretch to imagine them going after unencrypted data even harder. Google engineer, Thai Duong, recently published a blog explaining his desire for end-to-end encryption to be ON by default. Since this posting, the blog and his response to user comments have been edited to clarify. Read the arstechnica article for more details.
In the end, this is about Google’s business model always outshining their privacy policies. And so long as they continue to mine data for services, their business model will always win out over our privacy concerns. Google, the 2nd most valuable company in the world, is gambling on their services to win out over the both real and perceived privacy and security hazards ahead. We all want them to win but not at our expense.
*This blog originally appeared on Tripwire The State of Security