CSIS and other law enforcement agencies can wiretap Google Hangouts


With the federal government passing Bill C-51 last week, there’s more reason than ever for Canadians to be curious whether chat programs like Hangouts protect their privacy.

Thanks to a recent Reddit AMA, we now know that Hangouts does not employ end-to-end encryption, meaning that the service can be wiretapped.

In the past, it was unclear how secure Hangouts was because Google said precious little about the service’s encryption situation. “When you message or talk with someone on Hangouts, your information will be encrypted so that it’s secure,” is the extent of what the company’s support site says on the topic.

During the aforementioned AMA, Christopher Soghoian, a member of the American Civil Liberties Union, asked Richard Salgado, the company’s director for law enforcement and information security, to clarify the situation.

“Google has repeatedly refused to acknowledge whether or not it is capable of wiretapping Hangouts for government agencies,” said Soghoian. “Why has Google refused to be transparent about its ability to provide wiretaps for Hangouts? Given Google’s rather impressive track record regarding surveillance transparency, the total secrecy regarding the company’s surveillance capabilities for this product is quite unusual.”

“Hangouts are encrypted in transit, and we’re continuing to extend and strengthen encryption across more services,” said Salgado in response to the question.

Vice-owned Motherboard later asked Google to comment on Salgado’s response. The company used this opportunity to confirm that Hangouts does not, in fact, use end-to-end encryption. The significance of that statement is that Google, or any agency with the ability to do so, can wiretap Hangouts. It’s as reddit_poly notes in the AMA, “Once they arrive at Google’s end, Google has full access. In short, this is confirmation Google can wiretap Hangouts.”

Other chat services like iMessage, WhatsApp (on Android, at least) and the recently-launched BitTorrent Bleep, use end-to-end encryption to avoid wiretapping.