Google finally adds HSTS encryption to google.com

Featured

Google finally adds HSTS encryption to google.com

Google, known for its security practices, has finally brought HTTP Strict Transport Security (HSTS) to google.com to strengthen its data encryption. HSTS helps protect against eavesdroppers, man-in-the-middle attacks, and hijackers who attempt to spoof a trusted website. Chrome, Safari, and Internet Explorer all support HSTS.

“HSTS prevents people from accidentally navigating to HTTP URLs by automatically converting insecure HTTP URLs into secure HTTPS URLs,” said Jay Brown, a senior technical program manager for security at Google, in a blog post. “Users might navigate to these HTTP URLs by manually typing a protocol-less or HTTP URL in the address bar, or by following HTTP links from other websites.”

Typically, implementing HSTS is a fairly simple process, Brown said. But, due to Google’s complex algorithms, the company had to address mixed content, bad HREFs, redirects to HTTP, and other issues like updating legacy services which could cause problems for users as they try to access the core domain.

Brown also noted that the team accidentally broke Google’s Santa Tracker just before Christmas last year during testing.

According to Google, about 80% of requests to its servers today use encrypted connections. The use of HSTS goes a step further by preventing users from mistakenly visiting unsafe URLs.

Certain domains, including Paypal and Twitter, will be automatically configured with HSTS to keep users safe, according to Google’s HSTS Preload List.

Google is now focused on increasing the “max-age,” or the duration that the header is active. The max-age is currently set to one day to help mitigate the risk of any potential problems with the rollout. “By increasing the max-age, however, we reduce the likelihood that an initial request to www.google.com happens over HTTP,” Brown said. “Over the next few months, we will ramp up the max-age of the header to at least one year.”

Increasing encryption

Google is currently working to implement HTTPS across all of its products. In March 2014, the company announced the use of HTTPS-only for Gmail.

Increasing encryption and security around its core products will be key for Google to remain in good standing with enterprise and consumer customers as concerns over cybersecurity ramp up across verticals.

Encryption remains at the forefront of many cybersecurity discussions, especially after last year’s terrorist attack in San Bernardino, CA, and the FBI’s dispute with Apple over access to the shooter’s iPhone.

In March, Google joined Facebook, Microsoft, and others who filed in support of Apple in its refusal of a court order forcing it to unlock the shooter’s iPhone for authorities.

The Federal Bureau of Investigations is holding ongoing talks with technology companies about a range of privacy and encryption issues, according to FBI director James Comey. The agency is also collecting statistics on the effect of encryption on its investigations.

“Encrypting data in transit helps keep our users and their data secure,” Brown said. “We’re excited to be implementing HSTS and will continue to extend it to more domains and Google products in the coming months.”

Google engineer says he’ll push for default end-to-end encryption in Allo

Featured

Google engineer says he'll push for default end-to-end encryption in Allo

After Google’s decision not to provide end-to-end encryption by default in its new chat app, Allo, raised questions about the balance of security and effective artificial intelligence, one of the company’s top security engineers said he’d push for end-to-end encryption to become the default in future versions of Allo.

Allo debuted with an option to turn on end-to-end encryption, dubbed “incognito mode.” Google obviously takes security seriously, but had to compromise on strong encryption in Allo in order for its AI to work. (Allo messages are encrypted in transit and at rest.)

Thai Duong, an engineer who co-leads Google’s product security team, wrote in a blog post today that he’d push for end-to-end encryption in Allo — then quietly deleted two key paragraphs from his post. In the version he originally published, Duong wrote:

Google engineer says he'll push for default end-to-end encryption in Allo

These two paragraphs have been erased from the version of Duong’s post that is currently live.

This edit probably doesn’t mean that Duong won’t continue to lobby internally for end-to-end encryption — his job is to make Google’s products as secure as possible. But Google, like most major companies, is pretty cagey about revealing its plans for future products and likely didn’t want Duong to reveal on his personal blog what’s next for Allo.

Even without the paragraphs on end-to-end encryption, Duong’s post offers interesting insight into Google’s thinking as it planned to launch Allo. For users who care about the security of their messaging apps, Duong highlights that it’s not encryption that matters most to Allo, but rather the disappearing message feature.

“Most people focus on end-to-end encryption, but I think the best privacy feature of Allo is disappearing messaging,” Duong wrote. “This is what users actually need when it comes to privacy. Snapchat is popular because they know exactly what users want.”

Duong also confirmed the likely reason Google didn’t choose to enable end-to-end encryption in Allo by default: doing so would interfere with some of the cool AI features Allo offers. For users who don’t choose to enable end-to-end encryption, Allo will run AI that offers suggestions, books dinner reservations and buys movie tickets. But the AI won’t work if it can’t scan a user’s messages, and it gets locked out if the user enables end-to-end encryption.

We reached out to Google to ask if the company asked Duong to edit to his blog post and will update if we hear back. Duong stressed that the post only reflected his personal beliefs, not those of Google — and we hope his advocacy for a default incognito mode comes to fruition.

Google closing in on target of full encryption

Featured

Google is disclosing how much of the traffic to its search engine and other services is being protected from hackers as part of its push to encrypt all online activity.

Encryption shields 77 percent of the requests sent from around the world to Google’s data centers, up from 52 percent at the end of 2013, according to company statistics released Tuesday. The numbers cover all Google services except its YouTube video site, which has more than 1 billion users. Google plans to add YouTube to its encryption breakdown by the end of this year.

Encryption is a security measure that scrambles transmitted information so it’s unintelligible if intercepted by a third party.

Google began emphasizing the need to encrypt people’s online activities after confidential documents leaked in 2013 by former National Security Agency contractor Edward Snowden revealed that the U.S. government had been vacuuming up personal data transferred over the Internet. The surveillance programs exploited gaping holes in unencrypted websites.

While rolling out more encryption on its services, Google has been trying to use the clout of its influential search engine to prod other websites to strengthen their security.

In August 2014, Google revised its secret formula for ranking websites in its search order to boost those that automatically encrypted their services. The change meant websites risked being demoted in Google’s search results and losing visitors if they didn’t embrace encryption.

Google is highlighting its own progress on digital security while the FBI and Apple Inc. are locked in a court battle over access to an encrypted iPhone used by one of the two extremist killers behind the mass shootings in San Bernardino, California, in December.

Google joined several other major technology companies to back Apple in its refusal to honor a court order to unlock the iPhone, arguing that it would require special software that could be exploited by hackers and governments to pry their way into other encrypted devices.

In its encryption crusade, Google is trying to make it nearly impossible for government spies and other snoops from deciphering personal information seized while in transit over the Internet.

The statistics show that Google’s Gmail service is completely encrypted as long as the correspondence remains confined to Gmail. Mail exchanges between Gmail and other email services aren’t necessarily encrypted.

Google’s next most frequently encrypted services are maps (83 percent of traffic) and advertising (77 percent, up from just 9 percent at the end of 2013). Encryption frequency falls off for Google’s news service (60 percent) and finance (58 percent).

Google CEO Pichai Lends Apple Support on Encryption

Featured

Google CEO Pichai Lends Apple Support on Encryption

Google Chief Executive Sundar Pichai lent support to Apple Inc.’s  pushback against a federal order to help law enforcement break into the locked iPhone of an alleged shooter in the San Bernardino, Calif., attacks.

Mr. Pichai wrote on Twitter on Wednesday that “forcing companies to enable hacking could compromise users’ privacy.”

Google CEO Pichai Lends Apple Support on Encryption

A federal judge Tuesday ordered Apple to enable investigators to bypass the passcode of the iPhone once used by alleged shooter Syed Rizwan Farook. Apple CEO Tim Cook wrote on Apple’s website that such a move would create “a backdoor” around security measures hackers could eventually use to steal iPhone users’ data.

On Twitter, Mr. Pichai called Mr. Cook’s letter an “important post.” He said that while Alphabet Inc.’s Google provides user data to law enforcement under court orders, “that’s wholly different than requiring companies to enable hacking of customer devices and data. Could be a troubling precedent.”

Google CEO Pichai Lends Apple Support on Encryption

Google, like Apple, has been locked in an intensifying battle with U.S. authorities over the companies’ smartphone encryption software. The firms say that the encryption is crucial to protecting users’ privacy, and keeping their trust. Law enforcement officials say such software hinders criminal investigations, including into the San Bernardino attacks.

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Featured

Microsoft, Google, Facebook to U.K.: Don’t weaken encryption

Microsoft, Google and Facebook are urging U.K. officials not to undermine encryption as they work on laws that would authorize forcing communications service providers to decrypt customer traffic.

In a joint written submission to the U.K. Parliament the three U.S.-based companies lay down several areas of concern, which, if not addressed, they say could damage their businesses and leave them caught in legal crossfires among the many countries where they do business.

The companies say they don’t want the U.K. to impose restrictions and apply them to foreign service providers such as themselves because, if other countries followed suit, it would lead to a morass of laws impossible to navigate. “Conflicts of laws create an increasingly chaotic legal environment for providers, restricting the free flow of information and leaving private companies to decide whose laws to violate,” the submission says.

They staunchly support encryption without backdoors. “The companies believe that encryption is a fundamental security tool, important to the security of the digital economy as well as crucial to ensuring the safety of web users worldwide,” they write. “We reject any proposals that would require companies to deliberately weaken the security of their products via backdoors, forced decryption, or any other means.”

Despite what the U.K.’s Home Secretary Theresa May has said about not seeking encryption backdoors, they want it in writing. “We appreciate the statements in the Bill and by the Home Secretary that the Bill is not intended to weaken the use of encryption, and suggest that the Bill expressly state that nothing in the Bill should be construed to require a company to weaken or defeat its security measures.”

The Parliament is considering bills that would give government agencies access to communications across service provider networks with proper legal authorization, which would affect Microsoft, Google and Facebook, all of which operate globally and face compliance with laws in many countries.

As the U.K. is considering such laws, the Netherlands have rejected forcing providers to break encryption on demand. In the U.S., Congress has held hearings in which members say they will propose legislation to require providing cleartext versions of encrypted traffic when presented with a judge’s order.

The three companies ask that if the U.K. does create lawful access to encrypted communications, companies based outside the U.K. would not be required to comply if that would go against laws it has to follow in other countries.

They urge an international agreement on how the lawful-access laws of individual countries should be observed in other countries to remove ambiguities that might prevent them from complying with all of them.

The companies want to protect customer privacy by requiring notification of those whose communications are intercepted. “While it may be appropriate to withhold or delay notice in exceptional cases, in those cases the burden should be on the Government to demonstrate that there is an overriding need to protect public safety or preserve the integrity of a criminal investigation,” they say.

They also seek to protect data stored in the cloud the same way it is protected in private data centers. The government should go to a business if it is seeking a business’s data, just as it did before cloud services existed. “This is an area where the UK can lead the rest of the world, promoting cloud adoption, protecting law enforcement’s investigative needs, and resolving jurisdictional challenges without acting extraterritorially,” they say.

They note that the draft lacks requirements for agencies to tell the providers if they know of vulnerabilities in their networks that could be exploited, and that any authorized actions agencies take don’t introduce new vulnerabilities.

Microsoft, Google and Facebook seem concerned that agencies granted legal access to their networks might alter them lest that have a negative effect on the services they deliver over those networks. “The clearest example is the authority to engage in computer network exploitation, or equipment interference,” they say. “To the extent this could involve the introduction of risks or vulnerabilities into products or services, it would be a very dangerous precedent to set, and we would urge your Government to reconsider.”

The companies want protections for their executives located within the U.K. They want warrants, when they have to be served on communications companies, to be served to officers of the companies who are located at the companies’ headquarters, not to employees of the companies located in the U.K. “We have collective experience around the world of personnel who have nothing to do with the data sought being arrested or intimidated in an attempt to force an overseas corporation to disclose user information,” they write. “We do not believe that the UK wants to legitimize this lawless and heavy-handed practice.”

They don’t want to be forced to create and retain data about customers that they don’t already in the normal course of business. “Some language under the retention part of the Bill suggests that a company could be required to generate data – and perhaps even reconfigure their networks or services to generate data – for the purposes of retention,” they write.

The companies think whatever judicial approvals are required to issue warrants to decrypt communications ought to apply to other U.K. orders issued to communications providers by the U.K.’s Defense Intelligence and other intelligence services. These other orders include national security notices, maintenance of technical capability orders, and modifications to equipment interference warrants.

They want the law to narrowly define bulk collection of data so it doesn’t include all traffic on a given channel, but rather is restricted to traffic specified by specific indicators such as source and destination, for example. The law should allow only necessary and proportionate amounts of data be analyzed and retained, and the rest be destroyed, they say.

Service providers should be allowed to hire attorneys and protest warrants without running the risk of violating disclosure laws or acknowledging that they actually are subject to the law, they write.

They take exception to a single word – urgent – not being defined in drafts of the law where it says requiring decryption of communications in urgent cases. “Clarity on this term – which other countries may seek to emulate and even abuse – is important,” they say.

New UK laws ban unbreakable encryption for internet and social media companies

Featured

New UK laws ban unbreakable encryption for internet and social media companies

Companies such as Apple and Google will be banned from offering unbreakable encryption under new UK laws.

Set to be unveiled on Wednesday (November 4), internet and social media companies will no longer be able to provide encryption so advanced that they cannot decipher it, according to The Daily Telegraph.

It will see tech firms and service providers required to provide unencrypted communications to the police or spy agencies if requested through a warrant, and comes as David Cameron urged the public and MPs to back his new surveillance measures.

On ITV’s This Morning earlier today (November 2), the Prime Minister argued that terrorists, paedophiles and criminals must not be allowed to communicate secretly online.

“We shouldn’t allow the internet to be a safe space for them to communicate and do bad things,” he outlined.

Measures in the Investigatory Powers Bill will place a duty on companies to be able to access their customer data in law, and is also expected to maintain the current responsibility for signing off requests with the Home Secretary, but with extra judicial oversight.

The bill will also require internet companies to retain the browsing history of their customers for up to a year.

Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad

Featured

Encryption policy poorly worded by officer: Telecom Minister Ravi Shankar Prasad

The government has blamed a junior official – a scientist — for the encryption policy fiasco, saying he was responsible for the poor and confusing wording of the document and failed to seek advice from his higher ups before making it public.

Several officials in the communications and IT Ministry that ET spoke to admitted that the timing of the release of the draft policy – just before Prime Minister Narendra Modi’s US visit — couldn’t have been worse, prompting its immediate withdrawal.

Speaking exclusively to ET, telecom minister Ravi Shankar Prasad, however, blamed poor wording for directing withdrawal of the policy, which gave an impression that subscribers could become legally liable to store messages exchanged throug WhatsApp, Facebook and Google among other social media platforms for up-to 90 days, and produce them before authorities if asked. The intent of the government was to make the social media and messaging companies liable to store information for the 90 day period.

“I read the draft. I understand that the manner in which it is written can lead to misconceptions. I have asked for the draft policy to be withdrawn and reworded,” Prasad said. “There was a misuse of word ‘users’ in the draft policy, for which the concerned officer has been taken to task.”

He explained that the wrong use of the phrase ‘users of encryption’ instead of ‘creators of encryption’ had led to all the confusion. Prasad added that the ‘scientist’, who was part of the expert committee under the Department of Information and Technology (Dei-TY), was responsible for the confusion. The expert panel had been tasked with framing of a national policy on ‘encryption’ which is crucial for the national policy on cyber security.

Internally, senior officials in the ministry admitted the timing of the draft policy release was all wrong with Modi set to travel to the US and meet, among others, Facebook CEO Mark Zuckerberg and other tech giants as well as many from the Indian diaspora.

“This is bad timing for sure. Modi would have surely have faced very uncomfortable questions at what is expected to be very high profile visit,” one of the officials told ET. Another official said the official tasked with coordinating and putting the policy together should have shown either the joint secretary, secretary or someone in the minister’s office before releasing it for public consultation. “This is the basics, especially for something which could be controversial.

But it was messed up,” he said, adding that reworking the policy and putting it in the public domain could take around three weeks.

The government Tuesday was forced to withdraw the controversial ‘draft encryption policy’ just over 12 hours after making it public after it came under severe criticism, especially on social media, for its move to make individuals legally bound to retain personal chats/messages on social networking sites for 90 days and provide to law authorities, if asked.

The draft policy was met with severe criticism, citing invasion of privacy, forcing DeiTY to clarify within a few hours on Monday that chats on popular social networking sites like Whatsapp and Facebook were exempted. And Tuesday it withdrew it in its entirety.

Prasad urged citizens not to misunderstand the policy. “Firstly this is a draft policy not the final policy and we have sought the comments of all stakeholders. There has always been a need for a policy on encryption given the spurt in online transactions through net banking, ecommerce, and so on,” Prasad said.

“However, no attempt will ever be made to jeopardize the rights of netizens and this government’s commitment to social media and the rights of netizens is unwavering,” he added. Dismissing speculation that the government had withdrawn the policy owing to severe media backlash or political pressure, Prasad said the country needed a robust encryption policy for security reasons.

One of the officials cited above said that the essence of the reworked draft policy will remain same, but it will be reworded. “The final policy could also require the companies to set up servers in India,” he added.

According to sources, the Intelligence Bureau (IB) had demanded that government make it mandatory for all the companies to make keep data for up-to one year, but the ministry of communications and IT had brought it down to just 90 days.

The policy seeks to bring all creators of ‘encryption codes’ to register with the government. Secondly the department of IT will from time to time notify standardized algorithms which could be used by companies. “We will only standardize the algorithms based on global practices, the formula of encryption codes will remain with the creators only,” the official said.

At present, an internet service provider licence allows for encryption of only up-to 40 bits but banks, e-commerce companies and communication services use much higher levels of encryption codes.

Whose keys are they anyway?

Featured

Whose keys are they anyway?

Google recently announced enhanced security support for its cloud customers by granting them the ability to hold the encryption keys to their data. These customer-supplied encryption keys for the Google Cloud Platform follow the example set by other cloud industry leaders such as Amazon Web Services and Box and position the tech giant as an advocate for user data privacy.

The many federal IT managers who rely on Google Cloud and AWS are now able to develop a more sound security strategy when it comes to adopting the cloud. Government security managers running Google Cloud should educate themselves on the various cloud encryption models available and also consider which complementary security solutions must also be implemented. Depending on the cloud encryption model employed, cloud data may be susceptible to unauthorized access by cloud service provider insiders or be moved to other jurisdictions that might present data sovereignty issues.

Let’s break it down.

Server-side encryption. At the most basic level of the cloud encryption models, there is server-side encryption (SSE), where the encryption is performed by the cloud service provider using keys it owns and manages itself. Server-side encryption is the most vulnerable cloud encryption model, as the key unlocking access to the data is in control of the cloud provider. While SSE provides a basic level of encryption, it does not provide enterprise security control nor does it help protect against insider attacks because service provider employees could access the data intentionally or by mistake.

Server-side encryption with customer-provided keys. What Box, AWS and now Google offer is server-side encryption with customer-provided keys (SSE-CPK). In this model, the cloud provider handles the encryption but hands the keys the customer to own and manage. The cloud service provider runs the encryption in its underlying infrastructure and promises to only keep the keys in memory while the virtual machine is up and running. However, the keys still flow through cloud provider application programming interfaces, so it is not much of a stretch for the cloud provider to divert or intercept the keys.

Client-side encryption. The most secure solution is client-side encryption (CSE), which occurs in the cloud but it is initiated and managed by the data owner. The customer selects the encryption method and provides the encryption software. Most important, the customer owns and manages the encryption keys.

This approach allows customers to store and manage the keys for the virtual machines on their own premises or in a controlled instance in the cloud. When the virtual machine boots up in the private or public cloud, it can use a pre-boot network connection to an enterprise-controlled intelligent key manager to retrieve the key.

In the announcement of SSE-CPK on Google’s blog, the company chides, “Keep in mind, though, if you lose your encryption keys, we won’t be able to help you recover your keys or your data – with great power comes great responsibility!” The onus is indeed on the customer to not only keep the keys close, but keep them safe. The most responsible move for IT admin is to have an enterprise-controlled intelligent key management solution to manage crypto activities.

Google’s support for SSE-CPK is a step in the right direction to giving enterprises control over who accesses their data, but it still falls short of client-side encryption. Only with the CSE model – where both the encryption and keys are initiated and managed by the data owner, not the cloud provider – does the customer have the most protection and control possible in the cloud.

Jeb Bush: encryption makes it too hard to catch “evildoers”

Featured

Jeb Bush: encryption makes it too hard to catch "evildoers"

Bush, the former governor of Florida, said Tuesday that encryption “makes it harder for the American government to do its job.”

That job would be, according to Bush, “making sure that evildoers aren’t in our midst,” echoing a phrase frequently used by his brother President George W. Bush to describe the threat of radical Islamic terrorism.

If you create encryption, it makes it harder for the American government to do its job – while protecting civil liberties – to make sure that evildoers aren’t in our midst.

Governor Bush’s comments were delivered at a forum hosted by a lobbyist group called Americans for Peace, Prosperity and Security (APPS) with close ties to military contractors, that is pushing presidential candidates to adopt “hawkish positions,” according to The Intercept.

(APPS’s advisory board includes members of what you might call the National Security establishment – including a former national security advisor to George W. Bush and a former CEO of BAE Systems. Its honorary chair is Mike Rogers, formerly the chairman of the US Congress’s Permanent Select Committee on Intelligence.)

Bush also advocated for wide latitude for the NSA to continue collecting phone metadata, although the NSA’s surveillance powers over Americans have been curtailed by Congress.

There’s “no evidence” that the NSA abused its powers or infringed on civil liberties of Americans, Bush said.

In fact, Bush said, in the clash of surveillance and civil liberties, “the balance has actually gone the wrong way” – meaning that civil liberties have too much weight.

There’s a place to find common ground between personal civil liberties and NSA doing its job. I think the balance has actually gone the wrong way.

While some US officials have advocated for technology companies to give law enforcement backdoors to read encrypted data, many security experts and tech companies say such a move would jeopardize security for everyone.

Others have pushed for some sort of middle ground, such as a multi-part encryption key that would keep encryption safeguarded by multiple agencies or companies holding part of the key.

Bush falls into this middle ground category, saying at the APPS forum that Silicon Valley companies (like Google and Apple) should cooperate with the government.

We need to find a new arrangement with Silicon Valley in this regard because I think this is a very dangerous kind of situation.

In response to Bush’s comments, some in tech and media suggested that Bush doesn’t really understand encryption.

Andrew Wooster, co-founder of a Seattle mobile software company, tweeted:

Jeb Bush: encryption makes it too hard to catch "evildoers"

The presidential politics of cybersecurity

As the 2016 US presidential election contest has heated up this summer, we’re reminded that cybersecurity isn’t just about technology, it’s also about policy – and that makes it highly political.

It’s still quite early in the election cycle, but cyber issues have taken up a good bit of the debate so far.

At a 6 August Republican debate, two contenders – Governor Chris Christie and Senator Rand Paul – clashed on NSA powers, with Christie claiming that the government needs “more tools” for fighting terrorism, and Paul arguing that the US Constitution requires a warrant for collecting data from Americans.

On the Democratic side, former Secretary of State Hillary Clinton has largely avoided the issue of NSA surveillance, while her chief rival, Senator Bernie Sanders, has called the NSA activities exposed by leaker Edward Snowden “Orwellian” and “clearly unconstitutional.”

Beyond encryption and surveillance, the cyberthreat from China has also taken up a lot of air time, with Republican candidates Mike Huckabee and Marco Rubio calling for retaliation against China over its presumed involvement in cyberattacks on the US government.

Clinton didn’t go as far as Huckabee or Rubio, but talked up the threat of Chinese economic espionage in a speech last month in which she also claimed that China wants to hack “everything that doesn’t move in America.”

A lot of important policies affecting privacy and security of Americans – and others around the world – will be decided by the next US president.

If you care about any of these issues – encryption, surveillance and the powers of law enforcement; privacy rights; government oversight of the internet and telecommunications; and laws that affect everything from data breach liability, to the rights of security researchers to hack things – it’s time to tune in and make your voice heard.

Google Hangouts doesn’t use end-to-end encryption

Featured

Google Hangouts doesn't use end-to-end encryption

If you’re using Google Hangouts as your main messaging service, you might want to know that Hangouts doesn’t use end-to-end encryption (E2EE), a must-have feature for messaging services in the post-Snowden world.

This was recently confirmed during a Reddit Ask Us Anything (AUA) session by Google’s Richard Salgado, Director for Law Enforcement and Information Security, and David Lieber, Senior Privacy Policy Counsel.

As far as messaging services go, end-to-end encryption is a method of encrypting data so that only the sender and the recipient of a certain message can make sense of the data being transferred. The main thing to bear in mind is that the provider of an E2EE-encrypted messaging service cannot view the messages itself, as the data is encrypted and decrypted locally by the sender and the recipient.

While the service provider has access to the bits of information that are transmitted between the sender and the recipient, this data looks like complete gibberish without the encryption key. It’s worth noting that Whatsapp, the largest messaging service in the world, uses end-to-end encryption, as does Apple’s iMessage.

The two Google representatives confirmed that Hangouts only uses in-transit encryption, a method that prevents ISPs and telecom operators from peeking at the messages. Long story short, Google can intercept Hangouts conversations when ordered by law enforcement agencies and governments.
Google previously revealed that requests for user data coming in from governments across the globe rose one and a half times over the past five years, although the company did not break down the numbers by service.