Update 9/21/16: This post has been updated to include more information about how Allo collects your data.
The buzziest thing Google announced at its I/O conference Wednesday was Allo, a chatbot-enabled smartphone messaging app that looks to take on iMessage, Facebook Messenger, and the Facebook-owned WhatsApp.
Early sentiment about Allo is overwhelmingly positive: It looks beautiful, lets you doodle on images before you send them, comes with stickers as well as emojis, and it’s the first Google product to offer end-to-end encryption, which is certainly a good thing.
But if you care at all about your privacy, you should not use Google Allo.
Allo’s big innovation is “Google Assistant,” a Siri competitor that will give personalized suggestions and answers to your questions on Allo as well as on the newly announced Google Home, which is a competitor to Amazon’s Echo.
On Allo, Google Assistant will learn how you talk to certain friends and offer suggested replies to make responding easier. Let that sink in for a moment: The selling point of this app is that Google will read your messages, for your convenience.
Some reporters have lauded Allo for having an “Incognito Mode,” which will turn on end-to-end encryption for a specific conversation, meaning that, in theory, neither Google, nor hackers, nor law enforcement will be able to read messages sent in this mode. Incognito Mode is indeed a good thing to enable if you are going to use Allo, but a better idea would be to stay away from the app altogether.
Allo even has Incognito chats https://t.co/XrQjdWgTYs #liveblog #io16 pic.twitter.com/mfL2TOp7yE
— CNET (@CNET) May 18, 2016
Google would be insane to not offer some version of end-to-end encryption in a chat app in 2016, when all of its biggest competitors have it enabled by default. Allo uses the Signal Protocol for its encryption, which is good. But as with all other Google products, Allo will work much better if you let Google into your life.
Google is banking on the idea that you won’t want to enable Incognito Mode, and thus won't enable encryption.
Lots of people use Chrome’s Incognito Mode for searching for porn or other sensitive or embarrassing stuff, but how many people use Incognito for every search? Likewise, it’s smart to turn off location history in Google Maps because once Google has that data, it's out of your control. As with any app that collects personal data, it's hard to know where that data will eventually end up: in the hands of a hacker or law enforcement, for example. However, turning off location history means you have to type in your full home address every time you want directions home.
Making encryption opt-in was a decision made by the business and legal teams. It enables Google to mine chats and not piss off governments.
— Christopher Soghoian (@csoghoian) May 18, 2016
With Allo, the stated purpose of the app is to have a Google bot integrated into a messaging app, so that it can specifically learn more about you. In doing so, the messages you send to your friends will be more tailored—maybe it’ll suggest a coffee shop that’s halfway between you and the person you’re flirting with, for example. Google will have your express permission to mine your conversations for both your own benefit and the benefit of the company’s business interests (Gboard, Google’s new keyboard app with Google integration, has many of the same problems).
Google Allo's incognito mode is basically a sexting mode
— Tom Warren (@tomwarren) May 18, 2016
Allo is fundamentally different in this way than Hangouts or Gchat. With those two programs, Google showed no interest in injecting its own suggestions into what you type and thus showed no interest in learning more about you.
Allo, on the other hand, is the first major messaging app to have the express purpose of learning everything about you, further fleshing out Google’s already comprehensive profile of you. And so, of course it’s going to be less fun or useful when you’ve turned off that core feature. In that sense, it’s also entirely different than Facebook Messenger’s ‘M’ assistant bot (which may actually be a human). With M, you are speaking one-on-one with a bot, the bot isn’t monitoring every single thing you say to your friends.
One final note about Allo’s place in the current encryption debate: The FBI only started getting upset about the state of crypto after Apple and Google announced that they were going to turn on encryption on their smartphones by default. Before those announcements, encrypting your iPhone or Android device was possible and easy, but few people actually did it.
The FBI stopped asking for backdoors a while back. Now they are just asking firms to not encrypt by default. The FBI will like Google Allo.
— Christopher Soghoian (@csoghoian) May 18, 2016
And so my point isn’t that Allo is evil or Google is evil. But Allo’s security and privacy features are skin deep at best, and we should treat the app for what it is: Yet another chance for Google to learn more about you.
We’ve seen time and time again that people only use privacy tools when they are seamless and don’t affect the overall experience of using the app or program. With Allo, collecting data is core to the value it's offering. Google is giving consumers two options: Insecure with a wonderful user experience, or secure with an inferior experience. What do you think the masses are going to choose?
Update 9/21/16: Google Allo has just launched and, as the Verge reports, Google has backtracked on even its most basic privacy promises. By default, Google will store all non-Incognito messages on its servers in order to improve its AI bot service, according to the report. Messages can still be manually deleted or Incognito mode can be enabled to turn on end-to-end encryption. We recommend you stick with a service that has end-to-end encryption enabled by default, such as Signal, iMessage, or WhatsApp.