In years past, the need to encrypt your communications or use a VPN were edge cases, but in todays post-Snowden leaks, Metadata retention world, this is becoming common place. Google is often seen as a leader in security and privacy (in some cases) but it turns out, that one of their largest platforms for communications is unencrypted – at least in part.
Google has never been forthcoming about just how encrypted Hangouts is, but in a recent reddit AMA held by Richard Salgado, Google’s director for law enforcement and information security, and David Lieber, Google’s senior privacy policy counsel, the truth finally came out – Hangouts is not encrypted end-to-end.
End-to-end is the key here, Hangouts messages are encrypted on the way from your PC to the server, as confirmed by Mr Salgado in a reply to a user:
Hangouts are encrypted in transit (https://support.google.com/hangouts/answer/6046115[2] ), and we’re continuing to extend and strengthen encryption across more services
Christopher Soghoian, principal technologist at the American Civil Liberties Union followed up on Twitter, posting:
https://twitter.com/csoghoian/status/596738650433593344
Motherboard followed up with Google post-AMA, and advised:
a spokesperson confirmed that Hangouts doesn’t use end-to-end encryption. That makes it technically possible for Google to wiretap conversations at the request of law enforcement agents, even when you turn on the “off the record” feature, which actually only prevents the chat conversations from appearing in your history—it doesn’t provide extra encryption or security.
Google has always been rather open regarding requests for wiretaps, but users it seem want more and whether ‘we’re continuing to extend and strengthen encryption across more services’ is enough will be answered soon. Instant messaging is a big service and if Google doesn’t move to give the people what they want, other services will be waiting to give the users what they want.
