Secret-sharing phone app ‘Whisper’ accused of tracking users, handing info to law enforcement

16 Oct, 2014 21:03 / Updated 10 years ago

Whisper, the anonymity-centric smartphone app that’s marketed as being “the safest place on the internet,” is in hot water after being alleged by The Guardian of tracking users and sharing their info with governments.

IMPORTANT FOLLOW UP:Guardian walks back report of privacy violations by Whisper anonymity app

On Thursday, journalists at the UK-based newspaper wrote that a recent visit to Whisper’s Venice Beach, California headquarters left reporters certain that, despite claims from the app’s developers, customers information is being stored on the company’s servers indefinitely and, in some instances, shared with law enforcement agencies, research groups and even the Department of Defense with little-to-no warning being given to users.

Paul Lewis and Dominic Rushe — the Guardian journalists who detailed the Oct. 9 visit to Venice Beach in Thursday’s article — wrote that Whisper’s previously undocumented behavior “will alarm users,” especially because they “are encouraged to disclose intimate details about their private and professional lives” blatantly on the company’s website.

Whisper, its developers explain on the app’s site, “is a service that allows users to communicate by posting and viewing publicly available content and sending private messages,” and, “Unlike other services, users do not register for unique accounts on Whisper.” According to the Guardian, around 2.6 million “whispers” are sent through the app each day, meaning users are sending more than 100,000 messages every hour from smart phones, the likes of which often appear as geo-tagged images with anonymous-penned prose layered on top.

Whisper “is committed to being a safe place for our users to anonymously share their innermost thoughts, secrets and feelings. That’s why we place so much focus on protecting your privacy and personal information,” another portion of the website reads.

That’s not exactly correct, the Guardian alleged:

User data, including Whisper postings that users believe they have deleted, is collated in a searchable database. The company has no access to users’ names or phone numbers, but is storing information about the precise time and approximate location of all previous messages posted through the app. The data, which stretches back to the app’s launch in 2012, is being stored indefinitely, a practice seemingly at odds with Whisper’s stated policy of holding the data only for ‘a brief period of time,’” the paper reported this week.

Additionally, the Guardian claimed that “Whisper has developed an in-house mapping tool that allows its staff to filter and search GPS data, pinpointing messages to within 500 meters of where they were sent,” which, according to the paper, “enables the company to monitor all the geolocated messages sent from the Pentagon and National Security Agency. It also allows Whisper to track an individual user’s movements over time.”

When users have turned off their geolocation services, the company also, on a targeted, case-by-case basis, extracts their rough location from IP data emitted by their smartphone” the Guardian claimed.

Neetzan Zimmerman — the editor-in-chief of Whisper and a former writer at the gossip site Gawker — has since fired back at those accusations and others with a barrage of messages sent on Thursday from his Twitter account.

First response: The Guardian’s piece is lousy with falsehoods, and we will be debunking them all. Much more to come.

— Neetzan Zimmerman (@neetzan) October 16, 2014

The Guardian’s piece is lousy with falsehoods, and we will be debunking them all,” Zimmerman tweeted, telling another social media user in a follow-up that the paper’s report is nothing more than “a pack of vicious lies.”

The Guardian made a mistake posting that story and they will regret it,” Zimmerman threatened later. “Whisper has never nor will ever collect nor store ANY personally identifiable information from its users,” he added, insisting later that names, phone numbers, email addresses and location data isn’t collected unless explicitly offered by the user.

Users who do not opt in to location send NO GPS information,” he added. “It is a technical impossibility for us to determine their location.”

Second response: The Guardian made a mistake posting that story and they will regret it.

— Neetzan Zimmerman (@neetzan) October 16, 2014

The Guardian doesn’t dispute that, however, and instead claimed that, among other issues, Whisper can all-too-easily de-anonymize users by other means. Rather, the paper reported, “the company uses IP address location data to establish the rough location of some users who have opted out the app’s geolocation services,” referring to the Internet Protocol, or IP, data that shows how a web-ready device connects to the ‘net.

When Guardian reporters visited Whisper last month, Zimmerman and another executive said that when they wanted to establish the location of individual users who are among the 20% who have opted out of geolocation services, they simply asked their technical staff to obtain the ‘latitude and longitude’ of the phones they had used,” the paper reported.

In January, Forbes journalist Parmy Olson warned that there were at least three reasons in particular to be weary of Whisper’s alleged anonymity claims amidst a firestorm of media coverage that had nearly overnight propelled the Southern California start-up into a multi-million-dollar company.

Whisper says in its Privacy Policy that it collects device identifiers known as UDID’s, details about your web browser, operating system, ISP, and what pages you view. Missives sent through Whisper’s direct message system, WhisperText, are also subject to analysis from Whisper’s proprietary analytics software,” Olson acknowledged, adding elsewhere in her article that “users should remember that nothing is 100% anonymous on the mobile web — not least on a free service that eventually needs to monetize itself.”

Indeed, the Guardian reported with this week’s exposé that Whisper’s executives admitted that the company is trying to build relationships with newspapers and TV networks and, despite being engaged in a partnership with Buzzfeed until now, that wildly popular website said this week that it would be “taking a break” from Whisper until the company can properly clarify the allegations concerning user privacy.

Meanwhile, the Guardian reported that Whisper execs acknowledged during the trip to headquarters earlier this month that some of the company’s latest efforts have directly involved investigating certain users based off of their activity. In Gaza, for example, one exec told the Guardian that Whisper was monitoring select Israeli Defense Force soldiers in the midst of the recent military operation against Palestine.

We had 13 or 14 soldiers who we were tracking – every whisper they did,” Guardian quoted an unnamed Whisper exec. “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him.”

Whisper’s military ties don’t end there, however; among the allegations put out by the Guardian this week is that Whisper “is cooperating with the US Department of Defense, sharing information with researchers investigating the frequency of mentions of suicide or self-harm from smartphones that Whisper knows are being used from US military bases.”

In other instances, the paper reported, Whisper provides law enforcement agencies like the FBI in the United States and Britain’s MI5 with user data in the event of an emergency. Citing unnamed privacy experts, though, the Guardian said Whisper appears “to require a lower legal threshold for providing user information to authorities than other tech companies.”

The CEO pitched me at SXSW on Whisper as a whistleblowing tool. Forgot to mention he secretly hands data to DOD. http://t.co/jPRJbplwRV

— Barton Gellman (@bartongellman) October 16, 2014

Barton Gellman, the Washington Post reporter who met with former government contractor Edward Snowden multiple times last year to investigate leaked security documents, opined on Twitter on Thursday that he too was led to believe that Whisper was something it now appears not to be.

“The CEO pitched me at SXSW on Whisper as a whistleblowing tool. Forgot to mention he secretly hands data to DOD,” Gellman said.