Google encrypts your Hangouts conversations, but it doesn’t use end-to-end encryption. This means that Google can wiretap your Hangouts at the government’s request.
That’s one big revelation from a recent reddit AMA with Richard Salgado, Google’s director for law enforcement and information security, and David Lieber, Google’s senior privacy policy counsel.
The American Civil Liberties Union’s chief technologist Christopher Soghoian asked the Google reps why they’ve made a habit of dodging questions about Hangouts’ encryption, saying,
“Hi. Google has repeatedly refused to acknowledge whether or not it is capable of wiretapping Hangouts for government agencies. In contrast, Apple’s FaceTime product uses end-to-end encryption and the company says it is not able to wiretap this service. Why has Google refused to be transparent about its ability to provide wiretaps for Hangouts? Given Google’s rather impressive track record regarding surveillance transparency, the total secrecy regarding the company’s surveillance capabilities for this product is quite unusual.”
Google’s response (bolding ours)?
“There are legal authorities that allow the government to wiretap communications. Google was the first company to disclose the number of wiretap orders it receives issued in criminal investigations. (There were a total of 7 wiretap orders in the first half of 2014, covering 9 accounts, for example). We also report requests made under national security authorities to the extent we are allowed by law. We want to be able to be much more granular about the number and nature of these demands, and think that’s important for people who use Google, policymakers and the public. Hangouts are encrypted in transit, and we’re continuing to extend and strengthen encryption across more services.”
As reddit user reddit_poly put it, “this means that Hangouts are only encrypted on their way between your computer and Google’s servers. Once they arrive at Google’s end, Google has full access. In short, this is confirmation Google can wiretap Hangouts.”
Pro-tip: If you don't want to talk about how you help the government spy on people, maybe not so wise to do a Reddit AMA about surveillance.
— Christopher Soghoian (@csoghoian) May 8, 2015
Google confirmed all of this to Vice:
We asked Google to clarify, or elaborate, on Monday, and a spokesperson confirmed that Hangouts doesn’t use end-to-end encryption. That makes it technically possible for Google to wiretap conversations at the request of law enforcement agents, even when you turn on the “off the record” feature, which actually only prevents the chat conversations from appearing in your history—it doesn’t provide extra encryption or security.
According to Google’s latest Transparency Report, the company received 25 wiretap requests from January 2013 to June 2014. Whether or not those had to do specifically with hangouts was not disclosed.