US Senate calls Whisper in for serious questioning on user tracking

US Senate calls Whisper in for serious questioning on user tracking

Whisper logo on map backgroundThe US Senate has a few privacy-related questions it would like to ask the people in charge at Whisper, the self-proclaimed “safest place on the internet”.

Earlier this month, The Guardian published three articles alleging that Whisper’s supposedly anonymous messaging service tracks even those who opt out of geolocation, that it shares what’s supposed to be anonymous content with the Department of Defense, and that its user data is collated and stored indefinitely in a searchable database.

What’s more, the Guardian reported, Whisper stores and processes its user information in the Philippines, contrary to what its policy said at the time about storing such information in the US.

That presents potential situations wherein US laws protecting privacy wouldn’t apply to data kept on overseas servers, as well as questions about how secure the data is against getting hacked out of Whisper’s systems.

(Whisper didn’t provide The Guardian with details of how, exactly, it secures the sensitive user data.)

Whisper CTO Chad DePue shot back immediately, talking to Y Hacker News on the same day that the articles published, dismissing them as “really bad reporting”.

The newspaper has stood its ground, pointing to what it considers damning evidence of privacy malfeasance, including Whisper’s rapid change to its user policy once the company was made aware of the Guardian’s intended coverage.

The timing was sheer coincidence, Whisper retorted.

Regardless of Whisper’s shrugging off of the charges, Senate Commerce Committee Chairman Jay Rockefeller would like to dive down into the details of, for one thing, how and when that policy change went down, among other issues brought up in the Guardian’s stories.

To that end, on Wednesday, Rockefeller sent a letter to Whisper CEO Michael Heyward telling him that the committee would like Whisper to pay them a visit.

Be prepared to address these issues when you show up, Rockefeller said:

  1. Whether and how Whisper tracks or has tracked the location of its users who have opted out of geolocation services, and if it has, how does it or has it used that information.
  2. The extent to which Whisper retains user data and the location(s) where user data is processed and retained.
  3. Whisper’s practices regarding sharing user data with third parties, including when and how those practices have changed over time.
  4. Whisper’s practices regarding notifying users about its privacy and data security policies related to user data, including any changes to those policies.

In his letter, Rockefeller noted that Whisper’s been waffling on some of the points the Guardian raised.

He points to an 18 October 2014 blog post in which Heyward states that Whisper doesn’t “actively” track users, while it does sometimes collect data that can be used to approximate a user’s location.

Whisper has also defended its relationships with media organizations and said it plans to continue such partnerships, Rockefeller noted.

He was referring to Buzzfeed, Huffington Post and Fusion: publications that were in partnerships (since suspended) with Whisper.

The Guardian, in fact, gleaned its knowledge of Whisper’s back end systems and processes during a three-day trip to Whisper headquarters – a trip taken to explore a journalistic partnership between The Guardian and Whisper.

From such partnerships with publications came reports containing sensitive, intimate Whisper confessions. Including an article from Buzzfeed about sexual assaults in the military.

Whisper says it is not tracking users who’ve opted out of geolocation. So how then, the Guardian asks, did it vet “every account using our back-end tools and filtered out any we thought might be bogus claims”, as it reportedly told Buzzfeed about the military messages?

The Guardian notes that out of 23 Whisper posts featured in the article about sexual assault in the military, 5 were from users who had opted out of geolocation.

Rockefeller and the Guardian both want to know, how, exactly, were those users vetted if in fact Whisper only uses IP addresses to obtain rough user locations?

In fact, while Senator Rockefeller has posed four questions, the Guardian itself has posed a list of 10 far more specific questions for Whisper.

Rockefeller, for his part, wants to hear Whisper’s explanation of the extent to which it retains user data.

Online privacy is something he takes seriously as chairman of the committee that has jurisdiction over the Federal Trade Commission and consumer protection, he said.

Those consumers deserve privacy policies that are “transparent, disclosed, and followed by the company,” he said.