A bug in Google Allo can reveal your search history to your recipients, Recode’s Tess Townsend uncovered. The issue is not only connected to Google Allo but also the Google Assistant that the company recently started rolling out to more users. The fully fledged version of the Google Assistant can be activated during any conversation in Google Allo, which is what’s probably causing the bug that’s raising some major privacy-related concerns.
As it turns out, the Google Assistant may share your search history with your recipients in Google Allo in case it doesn’t fully understand a query and tries to answer it with some of your previous inquiries. In this particular scenario, one user asked the Google Assistant to start identifying itself as a bot in the future, to which the voice-enabled companion answered with a link to Pottermore, a Harry Potter fansite. The link in question led to some passages from Harry Potter and the Order of the Phoenix, and while it may seem unrelated to the command given to the Google Assistant, the AI companion didn’t provide it at random. Instead, the link was pulled from their search history as they later revealed that they were looking at that particular page several days prior to the conversation which uncovered the bug. The Google Assistant posted that link automatically and both participants were able to see it. A screenshot of the conversation that led to this discovery can be seen below.
While the Mountain View-based tech giant added some privacy mechanisms to its voice-enabled digital helper that were meant to prevent this type of situations from happening, they obviously aren’t perfect and are still prone to lapses. Another screenshot in the gallery below shows how the Google Assistant is supposed to handle potentially sensitive information that users ask it to share in a conversation with another party. When asked about the name of its owner, the companion responds with a question regarding whether it’s allowed to share that information in a conversation and only does so when given explicit permission. It’s unclear why the Google Assistant didn’t ask the same thing before sharing a part of a user’s search history in the aforementioned example and why it displayed identical behavior when asked about its owner’s workplace address, but hopefully Google sheds some light on this issue soon.