Sophos Cloud Optix
Supposedly anonymous social media app Whisper actually tracks some users – particularly newsworthy ones – even after they’ve specifically opted out of geolocation, The Guardian claimed on Thursday.
What’s more, The Guardian claimed that Whisper also stores user data “indefinitely” in a searchable database.
Some of that information, gleaned from mobile phones it tracked to military bases, is even shared with the US Department of Defense (DOD).
The Guardian illustrated its story with a Whisper message picked up from around the US White House. The image features red icons signifying people who have posted to Whisper, including the featured message.
The poster’s identity is redacted, but the photo itself is of President Barack Obama with text overlaid:
I'm so glad this app is anonymous. The press would have a field day if they knew some of the stuff I post here.
Was the Whisper from an advisor to the president? Or from somebody cleaning the rooms in the West Wing?
We don’t know, but the employees of Whisper have the tools to make good assumptions regarding identity, The Guardian says.
Whisper makes a big deal about anonymity, going so far as to call itself “the safest place on the internet”.
Like a competing app, Secret, the US version of Whisper enables users to post anonymous messages overlaid on images or photos and to share them with others.
Whisper has attracted millions of users and is particularly popular among military personnel as a venue to share content – characteristically in the form of confessions – they would be unlikely to post to more public social media sharing services, such as Twitter or Facebook.
For example, a Buzzfeed article recently illustrated 23 harrowing confessions made on Whisper regarding sexual assault in the military, such as this:
I was raped by 2 different men during AIT when I was in the Army. They didn't get in trouble because I never told anyone.
This happens way too often to female soldiers.
According to The Guardian, Whisper has created an in-house mapping tool that enables staff to filter and search GPS data relating to those intimate confessions, pinpointing messages to within 500 meters of the spot from which they were sent.
While determining a person’s location doesn’t necessarily identify a given Whisperer, locations of mobile phone users can add up over time to create full pictures of tracked individuals, as US courts have noted while debating the constitutionality of warrantless tracking of mobile phone locations.
This allows the company to do things like monitor all messages sent from the Pentagon or the National Security Agency or, again, the White House, or to track one user’s movements over time.
The Guardian also discovered that Whisper, on a targeted, case-by-case basis, extracts the rough location of users, even when they have turned off geolocation, by looking up the approximate location of their IP addresses.
The Guardian found this all out first-hand at Whisper’s Los Angeles headquarters last month, while on a three-day visit to explore an “expanded partnership”.
While there, Whisper staff granted The Guardian access to its back-end system. What it found will undoubtedly unnerve users.
From the Guardian’s analysis of how Whisper tracks users:
Furnished with an extremely simple password, we were given access to the company's vast library of texts and photographs and, in most cases, the location of their authors. The company's developers have created a back-end analytics tool to conduct more refined searches of the database, the most powerful of which pinpoints location.
On the same day that the Guardian’s story went live, Whisper CTO Chad DePue went on Y Hacker News to poke holes in it, calling it “really bad reporting.”
One of the holes he wanted to poke concerned the database of geolocations that the Guardian had noted. He disparaged the repository, calling it a legacy database that’s so inaccurate it’s “laughable”:
We use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable. for instance, my current IP using our service says "USA", though I'm in Venice, CA. This is hardly a privacy violation...
In fact, he said, geo tracking is important for a “bunch of reasons”, including making sure that notifications don’t get pushed at users when they’re fast asleep at 3am, blocking spam, and pushing location-relevant content.
Some of that makes sense, such as choosing content that is a good fit with users’ locations.
Except that if they’ve gone to the trouble of turning geolocation off in the first place, why continue to offer them a service that acts as though they haven’t?
As for blocking spam, I’m not sure that the recipient’s location is of much significance.
The location of the sender, perhaps (because their location might be at odds with the claims of the message they are transmitting), but not the recipient.
And as for not waking phone users up at 3am…isn’t that what the volume and mute controls are all about?
John Shier and Paul Ducklin discussed the issue of collecting metadata in a recent Chet Chat podcast.
They were talking about Adobe’s latest e-reader, which turned out to keep a closer-than-you-might-expect track of your e-reading habits, and they concluded that:
It sounds like [metadata] doesn't matter. Maybe it doesn't. But the only way you can be absolutely sure that metadata doesn't matter is if you don't collect it in the first place.
Listen now: the metadata discussion starts at 6’16”
(Audio player above not working? Download or listen on Soundcloud.)
Perhaps that’s what Whisper should do?
If users have turned geolocation off, don’t do any geolocation-related calculations against their accounts.
Tracking a user by an IP address will only find the location of their ISP. Suggesting that this is even “geo-tracking” that could be used to identify someone is worse than laughable, it is pitiful. I would go further to say that it makes me question why I would read something from anyone that misinformed/lazy to draw such a conclusion.
If you turn off geolocation, a programmer is not breaking some implicit trust by utilizing information from your IP.
Geo-tracking doesn’t have to mean I know exactly where you are at any given moment. Sometimes it’s enough to know approximately where you are, or where you aren’t.
IPs are allocated by territory and the MaxMind database in question will, if I recall correctly, pinpoint to a particular city. And yes, you’re going to get the ISP where somebody is connected to the Internet but that’s still good for all sorts of uses.
I might not want you to know what city I’m in, if I’m in the North of England, what coast of the US I’m on, what timezone I’m in, how far from home I am, what direction I’m travelling in or how fast.
But the broader point is, you don’t need to know why I don’t want you to know where I am and it shouldn’t be up to you to decide on my behalf what resolution constitutes geo-tracking.
A term like ‘geo-tracking’ that is associated with application privileges DOES have a specific definition and it is associated with GPS-based tracking. I’m not picking and choosing what a user means when they turn it off.
I really like this blog but unfortunately Naked Sec and its kind occasionally fall into this trap of ignoring the technical aspects of a story. I assume you guys just don’t have the experience, so I comment.
If the application is anonymous there isn’t much else I can do to associate bad-actors other than an IP address. You better understand that it is going to get stored!
I’m sorry that you don’t want me to know if you’re in Miami or London… as a consumer/user you’re completely entitled to want things that aren’t possible but please don’t conflate my knowing what region you’re in with actually knowing where you are or who you are.