Whisper users tracked?
The so called safest place on the internet is reported to have tracked its anonymous users. Guardian today reported that the anonymous messaging App was not so anonymous at all. In fact, beside gathering data from its users, has also shared on different occasions’ information with the US Department of Defense (DoD), FBI or MI5.
The unique thing about Whisper was that it guaranteed anonymity and privacy to its users. However now it seems that the provider of anonymity itself was gathering and disseminating user information to the law enforcement agencies.
The App which was launched amidst much fanfare in March, 2012, claims to deliver message anonymously. Whisper is a iOS and Android mobile app which purports to allow users to send messages anonymously, and to receive replies. Users post messages which are displayed as text superimposed over an image, similar to greeting cards.
Currently, users of Whisper are publishing as many as 2.6m messages a day. Facebook is reportedly developing its own Whisper-style app for anonymous publishing. The trend toward anonymity in social media has some privacy experts concerned about security.
“When users have turned off their geolocation services, the company also, on a targeted, case-by-case basis, extracts their rough location from IP data emitted by their smartphone,” the article stated.
The Guardian found that Whisper is gathering location data during partnership talks last month. Whisper also seems to be monitoring specific, targeted individuals, even if they did not provide the Whisper app with permissions to use geolocation.
After it had researched the tracking abilities of Whisper, Guardian approached for comment last week, Whisper said it “does not follow or track users”. The company added that the suggestion it was monitoring people without their consent, in an apparent breach of its own terms of service, was “not true” and “false”.
But on Monday – four days after learning the Guardian intended to publish this story – Whisper rewrote its terms of service; they now explicitly permit the company to establish the broad location of people who have disabled the app’s geolocation feature.
Guardian article says that Whisper has developed an in-house mapping tool that allows its staff to filter and search GPS data, pinpointing messages to within 500 meters of where they were sent. To back its research, Guardian published the below mentioned images which showed the exact location of the sender.
Guardians blog states that its research also established the following facts.
- User data, including Whisper postings that users believe they have deleted, is collated in a searchable database. The company has no access to users’ names or phone numbers, but is storing information about the precise time and approximate location of all previous messages posted through the app. The data, which stretches back to the app’s launch in 2012, is being stored indefinitely, a practice seemingly at odds with Whisper’s stated policy of holding the data only for “a brief period of time”.
- A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.
- Whisper’s policy toward sharing user data with law enforcement has prompted it on occasions to provide information to both the FBI and MI5. Both cases involved potentially imminent threats to life, Whisper said, a practice standard in the tech industry. But privacy experts who reviewed Whisper’s terms of service for the Guardian said the company appeared to require a lower legal threshold for providing user information to authorities than other tech companies.
- The company is cooperating with the US Department of Defense, sharing information with researchers investigating the frequency of mentions of suicide or self-harm from smartphones that Whisper knows are being used from US military bases. Whisper stressed that “specific user data” is not being shared with the DoD, adding that the company was “proudly working with many organisations to lower suicide rates and the US military is among them”.
- Whisper is developing a Chinese version of its app, which received a soft-launch earlier this month. Companies like Google, Facebook and Twitter are banned in mainland China. Whisper executives said they had agreed to the demands China places on tech companies operating in its jurisdiction, including a ban on the use of certain words.
Whisper’s CTO Chad DePue refuted The Guardian’s allegations by claiming, “this is really bad reporting.” DePue claims that they only use a service called Maxmind GeoIP database which according to him is highly inaccurate. “We just don’t have any personally identifiable information. Not name, email, phone number, etc,” DePue added. “I can’t tell you who a user is without them posting their actual personal information, and in that case, it would be a violation of our terms of service.”
However the Guardian article found many backers. Moxie Marlinspike, security researcher and developer behind RedPhone and Signal mobile applications, replied to DePue’s comment: “Based on your own comments here, it sounds like the [Guardian’s] reporting is entirely accurate.”
Buzzfeed, Whispers long standing partner has broken its collaboration deal with Whisper due to the above revelations. Buzzfeed in a statement said that, “We’re taking a break from our partnership until Whisper clarifies to us and its users the policy on user location and privacy.”
You can read the entire Guardian expose on Whisper here