Whisper executive says tracking happens, but the data isn’t exact

On Thursday, the Guardian published a story on how the anonymous secret sharing application, Whisper, was actually tracking users despite claims to the contrary.

On top of that, the Guardian’s report says that newsworthy Whisper users are monitored, and the data that’s collected is stored in a searchable database, the contents of which are sometimes shared.

The Guardian says that Whisper has developed an in-house mapping tool that can filter and search GPS data, pinpointing messages within 500 meters from where they were sent. This allows the company to monitor all geo-located data with a given area. An example of this would be tracking messages that were sent from the Pentagon, or areas near it.

“When users have turned off their geolocation services, the company also, on a targeted, case-by-case basis, extracts their rough location from IP data emitted by their smartphone,” the Guardian’s story explained.

“The Guardian witnessed this practice on a three-day visit to the company’s Los Angeles headquarters last month, as part of a trip to explore the possibility of an expanded journalistic relationship with Whisper.”

After learning about some of the inner workings, the Guardian said they decided against forming a working relationship.

When it comes to the searchable database, the Guardian says that user data, including postings that one might believe to have been deleted, are stored without users names or phone numbers, but the precise time and approximate location are all indexed. This data store goes back to the very beginning of the app in 2012.

Responding to the Guardian article, Whisper CTO, Chad DePue, said that the story was “really bad reporting” while confirming that anonymous users are tracked.

However, he said that the data collected with regard to location isn’t fully accurate.

Whisper uses a legacy Maxmind GeoIP database so inaccurate, it’s laughable, DePue said, explaining that GeoIP information is collected in order for Whisper to function properly.

“The whisper needs to actually appear in the app, and it won’t appear without some general location,” he wrote in a post to Hacker News.

In addition, DePue said that general location is used to determine things that users might be interested in, “folks who post in lower Manhattan may see different results than people in College Station, TX, over time.”

Another reason that IP information is collected is because of anti-spam measures, and to comply with law enforcement demands. DePue said that location data is “fuzzed” and randomized so that once a Whisper is saved to the system, no one is able to tell where the user was.

In response to DePue’s comments, noted security researcher and privacy expert, Moxie Marlinspike, pointed out that the Guardian’s reporting seemed entirely accurate.

“You’re attempting to justify why you’re tracking your users, but you’re still tracking them,” Marlinspike wrote.

“…It seems simple to me: if you haven’t designed something that gives you truly unlinkable anonymity, don’t claim to provide it. If you have to track your users to make your app work, don’t claim not to track your users.

“…There’s a huge difference between ‘can’t’ track and ‘won’t’ track. Right now you’re claiming, ‘can’t,’ but it sounds like you’re squarely in the ‘won’t’ category of having your servers ‘avert their eyes.’ I think this understandably makes people uneasy, particularly given the data mining direction it sounds like the company is headed.”

Another point the Guardian raised was the claim that once notified a story concerning their practices was coming; Whisper changed their terms of service.

DePue said this statement was false, and that the change was something that had been planned for some time. An outline of the changes was published in a follow-up by the Guardian.

The issue most privacy experts have with this situation is that Whisper claimed to be an anonymous service, but what the Guardian demonstrated is the exact opposite.

Data mining is being conducted, and even if a user opts out or disables their geo-location, their data is still collected. The usefulness of this data isn’t clear, but the fact it exists at all is the problem.

Whisper is expected to release additional statements disputing the Guardian’s reporting. Once they do, this story will be updated accordingly.