Last week, Google announced their new smartphone messaging app Allo. Should you use it?

Answer: No.

Let me explain why.

One of the best ways of resisting mass surveillance is to use services where end-to-end encryption (E2EE) is enabled by default. E2EE means that only the sender and receiver of a message can read it. The NSA could still read messages by hacking into your phone directly, but they can’t (unless they hack everyone’s phones) read everyone’s messages this way. This is why widespread adoption of services such as WhatsApp (which uses E2EE) is a good thing.

With WhatsApp, iMessage, and Signal adopting E2EE by default, many were looking to see what Google would do with their latest product. Would they also use E2EE?

Well… sort of.

Allo only uses end-to-end encryption in ‘Incognito mode’. By default, messages are not encrypted this way. Furthermore, incognito messages are only stored for a few minutes. While good for security, this disincentivises continuous use of the mode. The likely result? The vast majority of Allo messages will not be securely encrypted. Google, and governments worldwide will be able to read, and analyse the messages of everyone using the service. This is a bad thing.

So which messaging service should you use if you care about human rights? To answer this question we have to briefly talk about metadata.

E2EE protects the contents of messages but not the metadata (who, what, where, when) of the parties involved. Metadata is just as important (if not more so) than content when it comes to mass surveillance - it’s easy to analyse in bulk and can be used to determine the important places, people, and daily patterns in your life. A good messaging app should protect not only the content of your communications but also the metadata.

WhatsApp uses E2EE but hasn’t said whether it stores metadata. Given that its terms explicitly allow for metadata collection we should assume that it does. iMessage also stores metadata. So what’s the alternative?

The general consensus right now seems to be that Signal is the best option. It uses E2EE by default and doesn’t store any metadata. It has clients for Android, iOS, and desktop and is a joy to use. Unlike WhatsApp, Signal is completely open source so anyone can check the code for security flaws or malicious behaviour. What’s more the tech behind Signal is so widely respected that both WhatsApp and Google have adopted it.

But don’t just take my word for it. Signal is recommended by, among others, Edward Snowden himself.

You can download Signal here.

James


« Back to blog