If you’re looking to plan a heist, you’d probably best stay clear of Hangouts: Google has inadvertently confirmed that its chat platform is susceptible to police and government monitoring.

While the tech giant usually keeps quiet about Hangouts’ security features, the revelation (of sorts) came out of an “Ask Me Anything” session Friday on Reddit that included members of Google’s public policy department and legal team. Its proposed topic was “the current status of U.S. government surveillance law reform and how Google thinks about these issues,” but the questions were less about laws or reform and more about Google’s practices.

Early in the session, the American Civil Liberties Union’s principal technologist Christopher Soghoian posted:

Hi, Google has repeatedly refused to acknowledge whether or not it is capable of wiretapping Hangouts for government agencies. In contrast, Apple’s FaceTime product uses end-to-end encryption and the company says it is not able to wiretap this service. Why has Google refused to be transparent about its ability to provide wiretaps for Hangouts? Given Google’s rather impressive track record regarding surveillance transparency, the total secrecy regarding the company’s surveillance capabilities for this product is quite unusual.

The reply from Richard Salgado, Google’s director for law enforcement and information security, cited the company’s record of disclosing wiretap requests (“There were a total of seven wiretap orders in the first half of 2014, covering nine accounts”), but the following part is what set Reddit ablaze. “Hangouts are encrypted in transit,” Salgado said, linking to Google’s official help document.

Readers were quick to point out that “in transit” is not the same as the end-to-end encryption that Apple boasts for its iMessage and FaceTime programs. As Reddit user reddit_poly pointed out, “This means that Hangouts are only encrypted on their way between your computer and Google’s servers. Once they arrive at Google’s end, Google has full access.”

This does not mean that Johnny Law can just tap into your discussion of last week’s Game of Thrones shenanigans all willy-nilly. The government still needs Google’s permission to access the servers and read Hangouts data, which the company readily admits it has given. It posts summaries of these and similar actions in its online transparency report, which shows that it has received wiretap orders at least since June 2013.

The term “in transit” doesn’t appear on Google’s official document; it only says that “your information will be encrypted so that it’s secure.” The Reddit discussion has served to clarify what exactly that means, and while the company has tools in place to let users know what it is and is not sharing, exactly how Google accesses and secures Hangouts data has been a long time coming.

Via: Motherboard