Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.

Claims that Whisper "Safest Place on the Internet" Tracks Users

posted by azrael on Friday October 17 2014, @08:06PM   Printer-friendly
from the when-things-are-too-good-to-be-true dept.
Security

FakeBeldin writes:

The self-dubbed "safest place on the internet", Whisper, apparently tracks users.

Whisper is a platform (like Twitter) where you can post short messages overlaid over a user-supplied picture. Supposedly, you're anonymous while doing so. When the Guardian went on a 3-day visit to pursue editorial relationships with the company, they encountered nuggets such as "an in-house mapping tool that allows its staff to filter and search GPS data, pinpointing messages to within 500 meters of where they were sent", and quotes such as "We had 13 or 14 [IDF] soldiers who we were tracking – every whisper they did".

Tracking facilitated through geolocation facilities in the app if active, with a fallback mode through geo-ip, stored in a database. Which apparently has never had any deletions, ever. To add further insult to injury, the Guardian claims Whisper latches on to potentially newsworthy Whisperers, and follows them.

Whisper has responded to these reports saying:

Whisper does not collect nor store: name, physical address, phone number, email address, or any other form of PII. The privacy of our users is not violated in any of the circumstances suggested in the Guardian story.

The Guardian’s assumptions that Whisper is gathering information about users and violating user’ s privacy are false.

Another reaction by Whisper CTO + scathing reply by well-known privacy hacker Moxie Marlinspike here.

Ars Technica covers basically the same points.

This discussion has been archived. No new comments can be posted.
Claims that Whisper "Safest Place on the Internet" Tracks Users | Log In/Create an Account | Top | 10 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by frojack on Friday October 17 2014, @08:23PM

    by frojack (1554) on Friday October 17 2014, @08:23PM (#107139) Journal

    The Denials sort of skip over the fact that their own staff told the Guardian
        "We had 13 or 14 [IDF] soldiers who we were tracking – every whisper they did".

    How would they know they were soldiers?
    Sure, no Physical address, but that wasn't what the Guardian claimed. They said GPS location within 500 meters. ("Within" might include right down to 6 meters).
    Your IP on a cell phone probably changes once an hour.

    Why would their staff tell reporters one thing and then the public denial uses weasel words to knock it down?

    --
    No, you are mistaken. I've always had this sig.

    • (Score: 3, Interesting) by forsythe on Friday October 17 2014, @08:33PM

      by forsythe (831) on Friday October 17 2014, @08:33PM (#107145)

      Why would their staff tell reporters one thing and then the public denial uses weasel words to knock it down?

      Probably because they were approaching the reporters as clients, not as investigators. It was probably a sales pitch, with the goal of convincing reporters either that they could recommend Whisper to wanna-be-anonymous sources, then verify that the sources were legit, that they could (for a nominal fee) be allowed to skim potentially interesting communications off the Whisper pool to get some breaking news, or both.

  • (Score: 4, Insightful) by takyon on Friday October 17 2014, @08:37PM

    by takyon (881) <takyonNO@SPAMsoylentnews.org> on Friday October 17 2014, @08:37PM (#107146) Journal

    Solid write-up, informative links.

    Anonymity app of the week lacks anonymity!

    A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.

    The company is cooperating with the US Department of Defense, sharing information with researchers investigating the frequency of mentions of suicide or self-harm from smartphones that Whisper knows are being used from US military bases.

    Whisper’s policy toward sharing user data with law enforcement has prompted it on occasions to provide information to both the FBI and MI5. Both cases involved potentially imminent threats to life, Whisper said, a practice standard in the tech industry.

    Whisper executives said they had agreed to the demands China places on tech companies operating in its jurisdiction, including a ban on the use of certain words.

    See also Anonabox [theregister.co.uk], Cryptocat [dubfire.net], or Snapchat's third party Snappening foulup. Next could be Fire [betabeat.com] Chat [gigaom.com].

    If even a heavyweight like open-source Tor is under serious threat, Good luck achieving anonymity with this week's app.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]

  • (Score: 4, Informative) by hemocyanin on Friday October 17 2014, @08:42PM

    by hemocyanin (186) on Friday October 17 2014, @08:42PM (#107150) Journal

    This is an interesting investigation into the software (user side): http://www.zdziarski.com/blog/?p=4056 [zdziarski.com]

    the Whisper app does not appear to be a social networking application with analytics; it appears to be an analytics and user acquisition application that also happens to have a social networking component. With this come a few concerns about privacy and anonymity.

    From the link above:

    • The whisper app is apparently built on Fiksu, a "user acquisition company": https://www.fiksu.com/ [fiksu.com]
    • The app can likely collect all interactions with it, taps, deletes, unsent posts.
    • The app generates a persistent unique userID -- won't matter if you run through tor, your device has a unique identity.
    • The app combines the uniqueID with exif data from pics you post (this can include GPS of course).
    • The app requests 100m radius resolution GPS coordinates even though IOS has options for 1km and 3km radius resolutions.
    • The acquired GPS coords are sent to whisper without any rounding down (which would also effectively widen the radius).

  • (Score: 3, Interesting) by khallow on Friday October 17 2014, @09:48PM

    by khallow (3766) Subscriber Badge on Friday October 17 2014, @09:48PM (#107160) Journal
    Even by internet standards, this smells real fishy. A company that encourages you to make anonymous statements while simultaneously going to considerable effort to track you is at the least an opportunity for anyone who can compromise the system to exploit it for either blackmail or the squashing of dissension (assuming that such things weren't the intended purpose of the app in the first place). Plus its similarity in name to the company "Whisper Systems" which actually provides a legitimate anonymity service may not be coincidental.

  • (Score: 0) by Anonymous Coward on Friday October 17 2014, @10:34PM

    by Anonymous Coward on Friday October 17 2014, @10:34PM (#107175)

    It is hard to get worked up about a company I haven't heard of, nor give a rat's ass about.

    • (Score: 2) by aristarchus on Saturday October 18 2014, @02:53AM

      by aristarchus (2645) on Saturday October 18 2014, @02:53AM (#107236) Journal

      Yeah, you haven't heard of them, but they have heard of you!!! And they are hearing you! Especially the IDF, which, if you are not Jewish, you might want to be worried about. That whole "extra-judicial killing" on suspicion of being a Terrorist? Israelis thought of it first. Check your skies for drones near you.

  • (Score: 1) by pnkwarhall on Saturday October 18 2014, @12:40AM

    by pnkwarhall (4558) on Saturday October 18 2014, @12:40AM (#107212)

    Moxie Marlinspike has sailed long distances using (only) dead-reckoning and celestial navigation. Anyone who appreciates this fact should go check out his site [thoughtcrime.org] The stories section [thoughtcrime.org] has my personal recommendation.

    There's some analog technology for ya!

    --
    Lift Yr Skinny Fists Like Antennas to Heaven