Skip to main content

Google backs off on previously announced Allo privacy feature

Google backs off on previously announced Allo privacy feature

/

The app will log conversations by default after all

Share this story

When Allo was announced at Google’s I/O conference earlier this year, the messaging app was presented as a step forward for privacy. Alongside the end-to-end-encrypted Incognito Mode, the Allo team talked about bold new message retention practices, storing messages only transiently rather than indefinitely.

But with the release of the app today, Google is backing off on some of those features.

The version of Allo rolling out today will store all non-incognito messages by default — a clear change from Google’s earlier statements that the app would only store messages transiently and in non-identifiable form. The records will now persist until the user actively deletes them, giving Google default access to a full history of conversations in the app. Users can also avoid the logging by using Allo’s Incognito Mode, which is still fully end-to-end encrypted and unchanged from the initial announcement.

A change to improve the Allo assistant

Like Hangouts and Gmail, Allo messages will still be encrypted between the device and Google servers, and stored on servers using encryption that leaves the messages accessible to Google’s algorithms.

According to Google, the change was made to improve Allo's smart reply feature, which generates suggested responses to a given conversation. Like most machine learning systems, the smart replies work better with more data. As the Allo team tested those replies, they decided the performance boost from permanently stored messages was worth giving up privacy benefits of transient storage.

The decision will also have significant consequences for law enforcement access to Allo messages. By default, Allo messages will now be accessible to lawful requests, similar to message data in Gmail and Hangouts and location data collected by Android. In the past, Google legal officers have stated that subpoenas are not sufficient to obtain that information, stating "we believe a warrant is required by the Fourth Amendment to the U.S. Constitution" for access to private information in a Google account.

The messages might not be there if the user had previously deleted them, or if the conversations took place in Incognito Mode — but in most cases, they will be. That leaves Google with much less danger of the kind of legal showdown Apple faced in San Bernardino and WhatsApp currently faces in Brazil.

Update 1:26PM ET: Updated with more information about Google's internal legal review.