Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Accused of Showing 'Total Contempt' for Android Users' Privacy (bleepingcomputer.com)

Posted by msmash on from the bad-timing dept.

On the heels of a terse privacy debate, Google may have found another thing to worry about: its attempt to rethink the traditional texting system. From a report: Joe Westby is Amnesty International's Technology and Human Rights researcher. Recently, in response to Google's launch of a new messaging service called "Chat", Westby argued that Google, "shows total contempt for Android users' privacy."

"With its baffling decision to launch a messaging service without end-to-end encryption, Google has shown utter contempt for the privacy of Android users and handed a precious gift to cybercriminals and government spies alike, allowing them easy access to the content of Android users' communications. Following the revelations by CIA whistleblower Edward Snowden, end-to-end encryption has become recognized as an essential safeguard for protecting people's privacy when using messaging apps. With this new Chat service, Google shows a staggering failure to respect the human rights of its customers," Westby contended. Westby continued, saying: "In the wake of the recent Facebook data scandal, Google's decision is not only dangerous but also out of step with current attitudes to data privacy."

11 of 100 comments (clear)

  1. Guilty! by amiga3D · · Score: 4, Insightful

    Guilty as charged. I think it's time for some serious anti-trust action in Federal court.

    1. Re:Guilty! by TechyImmigrant · · Score: 5, Informative

      Guilty as charged. I think it's time for some serious anti-trust action in Federal court.

      Nope. It's messaging on the cell phone signalling protocols, just like SMS. This is different to an application running on the top.

      When you are defining such protocols, the governments of the world require "Lawful Access" laws to be adhered to. When we were working on WiMax, the FBI turned up to the meetings to discuss the LA features in the protocol.

      This is why you do secure messaging from and app, over IP.

      SMS and it's brethren will never be secure and there's nothing Google or anyone else can do about it, without a major change of behavior on the part of governments.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    2. Re:Guilty! by TheRaven64 · · Score: 3, Insightful

      In a previous thread, someone suggested generating and storing one-time pads on phones. It would be quite interesting to use bluetooth when you're physically near one of your contacts to automatically exchange a few tens of MBs of random noise and then use that as a OTP for future messages sent to them. For large attachments (e.g. photos), you could send a 256-bit AES key and then use symmetric encryption for the contents, but still have the OTP for text messages. 10MBs of OTP key would be more text messages than most people send in a year (around 75K, assuming that they are all full length).

      It would be an interesting experiment...

      --
      I am TheRaven on Soylent News
  2. Most people dont care by 140Mandak262Jamuna · · Score: 5, Insightful
    You set up web site and offer some trivial thing like 25 cents off a loaf of bread, and ask users to setup an account. They will use the same user name password they use for their bank account, and give you all the security question answers too.

    It is debatable, whether Facebook and Google show more contempt towards privacy than the users themselves

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
  3. Except that it's a protocol, not a server by Jason69 · · Score: 4, Interesting

    Google "Chat" is a protocol much like "SMS". It's not a service in and of itself but the underlying carriage for services to ride on top. Those services should absolutely include encryption but that is not the protocol's job to handle. "Joe Westby is Amnesty International's Technology and Human Rights researcher" Sounds like this research should do a little more research.

    1. Re:Except that it's a protocol, not a server by Anubis+IV · · Score: 4, Interesting

      Google "Chat" is a protocol much like "SMS". It's not a service in and of itself but the underlying carriage for services to ride on top. Those services should absolutely include encryption but that is not the protocol's job to handle.

      Actually, it is, because end-to-end encryption cannot feasibly exist* unless a key exchange mechanism is defined by the protocol. Moreover, it's clear that you're thoroughly confused both about what end-to-end encryption actually means and what Chat actually is.

      Encrypting each link in the chain—which is what you're talking about when you suggest it's a server's/service's job to handle encryption—is not the same thing as end-to-end encryption. End-to-end encryption means that only the sender and the recipient are privy to the messages: not the server, not a service, not anyone else in the chain. For that to happen, the message that you're sending has to be encrypted on your device in a way that only your recipient's device can decrypt. For all of that to work, you need a key exchange mechanism baked into the protocol in some way, since otherwise your device would have no idea what keys to use. The individual links along the chain may additionally be encrypted, but even if they weren't the message would still be end-to-end encrypted.

      At this point, end-to-end encryption is simply table stakes for anyone joining the chat game. Anyone trying to enter the field with a chat system that doesn't offer end-to-end encryption is declaring their intent to scan every single one of your private messages for profit.

      As for your protestation that it's a protocol not a service, it actually is a service, in the same way that SMS is both a protocol and a service. Chat supports richer content and a few other niceties that put it above SMS, but it clings to almost all of SMS's flaws, in that it isn't end-to-end encrypted, it's dependent on carrier support, and it's been superseded by far superior products from other companies (e.g. iMessages, WhatsApp, etc.).

      *Okay, technically it can, but what must necessarily happen when using those protocols is that people have to share their public keys with each other in some other manner, such as a real life exchange or a trusted, third-party service, at which point those practices become de facto aspects of the protocol as a result of their necessity. Moreover, no protocol of that sort is suitable for use by the general population, hence why those sorts of protocols are relegated to users who are willing to sacrifice any notion of convenience in the interest of achieving the best security.

  4. It's not a Google thing, though. by shess · · Score: 4, Interesting

    While Google is putting support behind RCS, it's not a Google thing, it's an industry-standard evolution of SMS. Google really should do better and offer end-to-end encryption, but that would only work in their walled garden, and they would still have to interoperate with everyone outside of that garden, who they have no control over.

  5. Re:End to end isn't the Google way by dns4599 · · Score: 5, Interesting

    You know allo exists? By default it does not use end to end encryption but you can enable it if you want to.

  6. The flood gates are open by Opportunist · · Score: 3

    Now that the whole Facebook shit hit the fan, we can finally hope that this whole privacy destroying data collection madness gets some attention.

    Keep the stories coming. And make sure that they keep the steam they have now.

    And yes, it doesn't even matter what kind of story. Few people will actually understand what's really going on anyway. But what matters is volume. If there is story after story after story about how companies destroy our privacy, people will finally listen. Not because they understand, but because of the amount that surfaces.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  7. Joe Westby is an idiot by viperidaenz · · Score: 4, Insightful

    Chat isn't a replacement for any encrypted communications tool.
    It's a replacement for SMS, which is also not encrypted.
    It's required to be backward compatible with SMS, because not all networks or phones will support it. You can't do end-to-end encryption when one end doesn't support encryption.
    It's required to be operated by cellular carriers, so to be able to be operated in various countries, access to messages is a requirement, like SMS.
    It's required to not have a central set of servers that are operated by a single company, like iMessage, WhatsApp, etc.

  8. For once, not Google's fault here by Etcetera · · Score: 4, Informative

    End to end encryption is fine, but Google (for once) is doing the right thing by having a telco standard instead of an over-the-top app sending God-knows-what.

    Would I like to see end-to-end encryption? Yes. I'd like to see SS7 issues fixed first. There are plenty of E2E secure messaging solutions out there and I can't see why RCS is worse than MMS as a solution for enchanced SMS service.

    At the very least, this is a fully interoperable system, not tied to Google, Inc or any specific carrier.

    That's a Good Thing.

    --
    Hire a Linux system administrator, systems engineer,