end-to-end encryption – DoGoodSoft's Official Blog

Is Facebook making end-to-end encryption on Messenger opt-in only?

Facebook’s native chat is due to be silenced: Facebook’s reportedly going to kill it off, forcing users to instead use Messenger.

Rumor has it that Facebook Messenger will also offer the option of end-to-end encryption sometime in the next few months.

The Guardian, relying on input from three unnamed sources close to the project, earlier this week reported the end-to-end encryption news. Facebook hasn’t confirmed it, declining to comment on rumors or speculation.

The timing of these two things isn’t clear, but it would make sense for them to coincide – kill the native chat app just as a more privacy-protecting version of Messenger is ready to pull users in.

Ars Technica reports that some users are already getting pushed off the mobile version of Facebook’s native chat and onto the free, dedicated Messenger app.

Users of the regular Facebook mobile app were evicted a while ago. Now, it’s happening to those who access it via their phones’ web browsers or via third-party apps such as Tinfoil or Metal, Ars reports.

Some Android users are even being booted off chat automatically, shunted over to Google’s Play store to download Messenger when they try to check out their messages on the mobile site.

End-to-end encryption would shield conversations from all but the sender and receiver. That includes the prying eyes of both government surveillance outfits or from tech companies themselves.

The tradeoff: if Facebook can’t see conversations or get at users’ personal data, it can’t use artificial intelligence (AI) to chime in and do helpful things.

And, as we reported yesterday, Facebook’s on track to do a lot more language processing to figure out, for example, who’s messaging about needing a ride and therefore might want to have an Uber link pop up.

End-to-end encryption in Messenger would also put it on par with other encrypted messaging apps, including Apple iMessage, WhatsApp and Google’s new Allo messaging app.

Both Facebook and Google are trying to balance users’ demands for secure messaging with their thirst for services enhanced by the use of users’ personal data. Their solution: offer the end-to-end encryption as an opt-in feature.

As you might expect, some users are displeased with the notion of being forced onto Messenger, while some privacy experts are displeased with the idea that the speculated end-to-end encryption is opt-in rather than default.

The Guardian quoted Kenneth White, a security researcher and co-director of the Open Crypto Audit Project, which tests the security of encryption software:

The timing on killing native chat and releasing the Messenger crypto feature isn’t known, but The Register reports that it’s already been released for Windows 10 Mobile users.

Despite end-to-end encryption, your WhatsApp and Telegram chats can be spied on

Even though WhatsApp promises end-to-end encryption on all of its chats, and Telegram offers end-to-end encryption on secret chats, the truth is that messages on these platforms can still be hacked. The reason is because the messaging apps still rely on phone networks that use Signalling System No. 7, better known as SS7.

You might recall that back in April, we told you about SS7 when we passed along a story shown on 60 Minutes about hacking. SS7 is a protocol used to connect carriers around the world and affects all smartphone users regardless of the device they use. While SS7 can’t break the encryption employed by the two aforementioned messaging apps, it can be used to fool a wireless operator into helping the hacker open a duplicate WhatsApp and Telegram account in the name of the target.

The first step that a hacker employing SS7 does is trick the target’s carrier into believing that his phone number is the same as the target’s mobile number. Once that is accomplished, the hacker installs WhatsApp and Telegram on his phone, and uses the target’s number to set up new accounts. This will allow them to receive the secret code falsely proving that the hacker is the legitimate user of these accounts. Once all this is accomplished, the ruse is on as the hacker can send and receive messages pretending to be the target.

You can see how this all works by watching the pair of videos below. Most security firms still prefer WhatsApp and Telegram for their end-to-end encryption, which prevents “man-in-the-middle” hacks that redirect messages to a hacker’s phone. But obviously, opening a duplicate account can allow hackers to read messages not intended for their prying eyes.

Google engineer says he’ll push for default end-to-end encryption in Allo

After Google’s decision not to provide end-to-end encryption by default in its new chat app, Allo, raised questions about the balance of security and effective artificial intelligence, one of the company’s top security engineers said he’d push for end-to-end encryption to become the default in future versions of Allo.

Allo debuted with an option to turn on end-to-end encryption, dubbed “incognito mode.” Google obviously takes security seriously, but had to compromise on strong encryption in Allo in order for its AI to work. (Allo messages are encrypted in transit and at rest.)

Thai Duong, an engineer who co-leads Google’s product security team, wrote in a blog post today that he’d push for end-to-end encryption in Allo — then quietly deleted two key paragraphs from his post. In the version he originally published, Duong wrote:

These two paragraphs have been erased from the version of Duong’s post that is currently live.

This edit probably doesn’t mean that Duong won’t continue to lobby internally for end-to-end encryption — his job is to make Google’s products as secure as possible. But Google, like most major companies, is pretty cagey about revealing its plans for future products and likely didn’t want Duong to reveal on his personal blog what’s next for Allo.

Even without the paragraphs on end-to-end encryption, Duong’s post offers interesting insight into Google’s thinking as it planned to launch Allo. For users who care about the security of their messaging apps, Duong highlights that it’s not encryption that matters most to Allo, but rather the disappearing message feature.

“Most people focus on end-to-end encryption, but I think the best privacy feature of Allo is disappearing messaging,” Duong wrote. “This is what users actually need when it comes to privacy. Snapchat is popular because they know exactly what users want.”

Duong also confirmed the likely reason Google didn’t choose to enable end-to-end encryption in Allo by default: doing so would interfere with some of the cool AI features Allo offers. For users who don’t choose to enable end-to-end encryption, Allo will run AI that offers suggestions, books dinner reservations and buys movie tickets. But the AI won’t work if it can’t scan a user’s messages, and it gets locked out if the user enables end-to-end encryption.

We reached out to Google to ask if the company asked Duong to edit to his blog post and will update if we hear back. Duong stressed that the post only reflected his personal beliefs, not those of Google — and we hope his advocacy for a default incognito mode comes to fruition.

Pushbullet adds end-to-end encryption as it continues shift into messaging

Pushbullet, once a simple tool for sending files between your various devices, has announced that it now supports end-to-end encryption for additional user privacy, as it continues its march towards becoming a fully-fledged messenger.

Announced in a blog post, the new encryption is applied across notifications that are mirrored between devices, any text captured by the universal copy-and-paste option and any SMS messages that are sent using the platform.

Once enabled (achieved by entering a password on each device), it means that data passed using Pushbullet isn’t visible to the service itself or the company – only encrypted data is passed along.

To enter a password for end-to-end encryption, you just need to go to the settings menu on each device. Don’t forget your password though, there’s no record of it anywhere.

For now, the Pushbullet Android, Chrome and Windows desktop apps support the feature, but the company says that it’s working to bring it to iOS and Mac as “soon as possible.” Opera, Safari and Firefox support will then be added later.

While it’s a relatively small (but nonetheless important) feature for users, it’s essential for the future of the company if it’s intent on ploughing ahead into the messaging space.

Google Hangouts doesn’t use end-to-end encryption

If you’re using Google Hangouts as your main messaging service, you might want to know that Hangouts doesn’t use end-to-end encryption (E2EE), a must-have feature for messaging services in the post-Snowden world.

This was recently confirmed during a Reddit Ask Us Anything (AUA) session by Google’s Richard Salgado, Director for Law Enforcement and Information Security, and David Lieber, Senior Privacy Policy Counsel.

As far as messaging services go, end-to-end encryption is a method of encrypting data so that only the sender and the recipient of a certain message can make sense of the data being transferred. The main thing to bear in mind is that the provider of an E2EE-encrypted messaging service cannot view the messages itself, as the data is encrypted and decrypted locally by the sender and the recipient.

While the service provider has access to the bits of information that are transmitted between the sender and the recipient, this data looks like complete gibberish without the encryption key. It’s worth noting that Whatsapp, the largest messaging service in the world, uses end-to-end encryption, as does Apple’s iMessage.

The two Google representatives confirmed that Hangouts only uses in-transit encryption, a method that prevents ISPs and telecom operators from peeking at the messages. Long story short, Google can intercept Hangouts conversations when ordered by law enforcement agencies and governments.

Google previously revealed that requests for user data coming in from governments across the globe rose one and a half times over the past five years, although the company did not break down the numbers by service.

Google admits Hangouts doesn’t use end-to-end encryption, opening the door for government wiretaps

If you’re really worried the government may be keeping tabs on your conversations, then you’d best avoid Hangouts.

According to Motherboard, a Google representative confirmed that Hangouts conversations are only encrypted “in transit,” meaning after the message arrives at the intended recipient Google could access it if forced to do so by a government wiretap.

The question arose from a Reddit AMA with two senior members of Google’s public policy and legal team. An ACLU representative pinned them down about encryption, but wasn’t able to get them to detail if all messages were encrypted from end-to-end.

Richard Salgado, Google’s director for law enforcement and information security, and David Lieber, the senior privacy policy counsel, would only confirm the in-transit encryption. Salgado reaffirmed the government’s prerogative to order such surveillance: “There are legal authorities that allow the government to wiretap communications.”

In reality, such wiretaps are rare. Google’s transparency report details only seven wiretap orders for nine accounts in the first half of 2014, the most recent data available because the U.S. government requires a six-month waiting period.

Why this matters: Apple has touted the privacy of iMessage as another advantage to the security conscious over Android. Other messaging platforms, like the Mark Cuban-backed Cyber Dust, also promise secrecy. Google may not see this extra step as necessary until a backlash arises from those who want more privacy from their Hangouts conversations.