Supposedly anonymous social media app Whisper actually tracks some users – particularly newsworthy ones – even after they’ve specifically opted out of geolocation, The Guardian claimed on Thursday.
What’s more, The Guardian claimed that Whisper also stores user data “indefinitely” in a searchable database.
Some of that information, gleaned from mobile phones it tracked to military bases, is even shared with the US Department of Defense (DOD).
The Guardian illustrated its story with a Whisper message picked up from around the US White House. The image features red icons signifying people who have posted to Whisper, including the featured message.
The poster’s identity is redacted, but the photo itself is of President Barack Obama with text overlaid:
I'm so glad this app is anonymous. The press would have a field day if they knew some of the stuff I post here.
Was the Whisper from an advisor to the president? Or from somebody cleaning the rooms in the West Wing?
We don’t know, but the employees of Whisper have the tools to make good assumptions regarding identity, The Guardian says.
Whisper makes a big deal about anonymity, going so far as to call itself “the safest place on the internet”.
Like a competing app, Secret, the US version of Whisper enables users to post anonymous messages overlaid on images or photos and to share them with others.
Whisper has attracted millions of users and is particularly popular among military personnel as a venue to share content – characteristically in the form of confessions – they would be unlikely to post to more public social media sharing services, such as Twitter or Facebook.
For example, a Buzzfeed article recently illustrated 23 harrowing confessions made on Whisper regarding sexual assault in the military, such as this:
I was raped by 2 different men during AIT when I was in the Army. They didn't get in trouble because I never told anyone.
This happens way too often to female soldiers.
According to The Guardian, Whisper has created an in-house mapping tool that enables staff to filter and search GPS data relating to those intimate confessions, pinpointing messages to within 500 meters of the spot from which they were sent.
While determining a person’s location doesn’t necessarily identify a given Whisperer, locations of mobile phone users can add up over time to create full pictures of tracked individuals, as US courts have noted while debating the constitutionality of warrantless tracking of mobile phone locations.
This allows the company to do things like monitor all messages sent from the Pentagon or the National Security Agency or, again, the White House, or to track one user’s movements over time.
The Guardian also discovered that Whisper, on a targeted, case-by-case basis, extracts the rough location of users, even when they have turned off geolocation, by looking up the approximate location of their IP addresses.
The Guardian found this all out first-hand at Whisper’s Los Angeles headquarters last month, while on a three-day visit to explore an “expanded partnership”.
While there, Whisper staff granted The Guardian access to its back-end system. What it found will undoubtedly unnerve users.
From the Guardian’s analysis of how Whisper tracks users:
Furnished with an extremely simple password, we were given access to the company's vast library of texts and photographs and, in most cases, the location of their authors. The company's developers have created a back-end analytics tool to conduct more refined searches of the database, the most powerful of which pinpoints location.
On the same day that the Guardian’s story went live, Whisper CTO Chad DePue went on Y Hacker News to poke holes in it, calling it “really bad reporting.”
One of the holes he wanted to poke concerned the database of geolocations that the Guardian had noted. He disparaged the repository, calling it a legacy database that’s so inaccurate it’s “laughable”:
We use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable. for instance, my current IP using our service says "USA", though I'm in Venice, CA. This is hardly a privacy violation...
In fact, he said, geo tracking is important for a “bunch of reasons”, including making sure that notifications don’t get pushed at users when they’re fast asleep at 3am, blocking spam, and pushing location-relevant content.
Some of that makes sense, such as choosing content that is a good fit with users’ locations.
Except that if they’ve gone to the trouble of turning geolocation off in the first place, why continue to offer them a service that acts as though they haven’t?
As for blocking spam, I’m not sure that the recipient’s location is of much significance.
The location of the sender, perhaps (because their location might be at odds with the claims of the message they are transmitting), but not the recipient.
And as for not waking phone users up at 3am…isn’t that what the volume and mute controls are all about?
John Shier and Paul Ducklin discussed the issue of collecting metadata in a recent Chet Chat podcast.
It sounds like [metadata] doesn't matter. Maybe it doesn't. But the only way you can be absolutely sure that metadata doesn't matter is if you don't collect it in the first place.
Listen now: the metadata discussion starts at 6’16”
Perhaps that’s what Whisper should do?
If users have turned geolocation off, don’t do any geolocation-related calculations against their accounts.