Privacy advocates are raising alarm about Google’s messenger app Allo, pointing out that its Google Assistant overshares search data when not prompted, and the app itself lacks encryption and is potentially open to government spying.

“In the middle of our conversation, my friend directed Assistant to identify itself,”wrote Tess Townsend in her review of Allo in Re/code on Tuesday. “Instead of offering a name or a pithy retort, it responded with a link from Harry Potter fan website Pottermore.”

 

Neither Townsend nor her friend had mentioned Harry Potter in their conversation, before Allo brought it up.

“But the response was not merely a non sequitur,” continues Townsend. “It was a result related to previous searches my friend said he had done a few days earlier.”

Later in an exchange when Google Assistant was asked “What is my job?” It shared a Google Maps image with a co-working space the reporter had once used rather than a publicly listed address of her previous employer.

“Google had the address on file because I had included it in my personal Google Maps settings,” wrote Townsend. “It did not ask my permission to share that.”

When asked about the slip up, Google said, “We were notified about the Assistant in group chats not working as intended. We’ve fixed the issue and appreciate the report.”

Google Assistant is supposed to request permission from a user before sharing personal information in an Allo chat, but the privacy feature doesn’t appear to always work.

A review of the app when it was announced in 2016 said Allo uses “machine-learning and natural language processing” to suggest replies on the fly.

“Meaning it can anticipate what you want to say next and how you might say it. The more you use Allo, the better your suggestions become. And they will always be unique to you. However, because messaging isn’t just about texts, replies also contain stickers and emoji,”according to PocketLint.

Furthermore, the company originally presented the message app as encrypted, with the promise of storing message only transiently rather than indefinitely. When the app was released, however, Google said the app messages would be stored by default and user would have to manually delete them. The company argued that the app’s smart reply feature, Google Assistant, worked better with access to more data. Full end-to-end encryption was likewise in place only if a user applies Allo’s Incognito Mode.

“The decision will also have significant will also have significant consequences for law enforcement access to Allo messages,” reported the Verge. “By default, Allo message will now be accessible to lawful requests, similar to message data in Gmail and Hangouts and location data collected by Android.”

NSA whistleblower Edward Snowden issued a warning shot about Allo after its launch last year.

 

“What is #Allo?” he tweeted. “A Google app that records every message you ever send and makes it available to police upon request.”