In the wake of all the Edward Snowden revelations, a seemingly endless series of encryption apps, all promising some degree “NSA-proof” security, have come out trying to take advantage of this new anti-surveillance business opportunity.
But despite some apps’ relative success, the reality is that most people probably just use mainstream messaging apps like iMessage or Google Hangouts.
Apple has long maintained that conversations over iMessage and Facetime use end-to-end encryption, meaning “no one but the sender and receiver can see or read them,” as the company said after the PRISM revelations. That claim has turned out to be partly true: normally, Apple can’t read your iMessages, but they can if they really want to.
Google, on the other hand, has been mostly silent—there have been no boastful public statements—about the security of its popular Hangouts service, which can be used for both text-based as well as audio-video conversations. In its support documentation, Google simply says that “when you message or talk with someone on Hangouts, your information will be encrypted so that it’s secure,” but there’s no mention of end-to-end encryption.
That’s why Christopher Soghoian, the principal technologist at the American Civil Liberties Union and an expert of surveillance technology, took advantage of a Reddit AMA to try to get Google to clarify how secure and private Hangouts really are.
“Why has Google refused to be transparent about its ability to provide wiretaps for Hangouts?”
But Salgado dodged the question, saying Hangouts is encrypted “in transit” and that “there are legal authorities that allow the government to wiretap communications.”
Why can— Christopher Soghoian (@csoghoian) May 8, 2015
Pro-tip: If you don— Christopher Soghoian (@csoghoian) May 8, 2015
As a Redditor eloquently put it, “this means that Hangouts are only encrypted on their way between your computer and Google's servers. Once they arrive at Google's end, Google has full access.”
“In short, this is confirmation Google can wiretap Hangouts,” reddit_poly wrote.
A Google spokesperson confirmed that Hangouts doesn’t use end-to-end encryption.
We asked Google to clarify, or elaborate, on Monday, and a spokesperson confirmed that Hangouts doesn’t use end-to-end encryption. That makes it technically possible for Google to wiretap conversations at the request of law enforcement agents, even when you turn on the “off the record” feature, which actually only prevents the chat conversations from appearing in your history—it doesn’t provide extra encryption or security.
It’s unclear how many times this actually happens, however. In all likelihood, it’s a rare occurrence. In all of 2013, Google only received 19 requests to perform a wiretap from the US government, according to the company’s Transparency Report. In the first six months of 2014, the latest data publicly available, Google received seven wiretap orders. (It has to be noted that the report doesn’t specify what Google product the wiretap orders were for.)
The Google spokesperson did not answer when we asked how many of those were for Hangouts.Regardless, and despite Google’s reticence, it’s clear that if the search giant has to, it can eavesdrop on your Hangouts chats and conversations.