Careless Whisper? Anonymous messaging app accused of stalking users, blabbing to Feds

The makers of Whisper have denied claims that the anonymous messaging app is secretly tracking the whereabouts of its privacy-conscious users.

The startup hit back following reports that detailed location logs are shared with the US government.

Whisper is a two-year-old phone app that allows people to publish text overlaid on images to the whisper.sh website and other Whisper users, and comment on these posts, all using anonymous handles. It looks something like this and this.

The app allows peeps to tag their missives with a location, but there is an opt-out button to avoid revealing one's whereabouts. Now an investigation by the Guardian suggests this button is ineffective: your movements are always tracked, it's reported.

According to the Graun's dossier, if this geolocation tagging is turned off by someone who posts something interesting, staff are instructed by bosses to ignore the opt-out and find the user's "latitude and longitude" using IP addresses and other data. Specific people are closely monitored for juicy titbits, the report claims, even if they think they are anonymous.

An unnamed Whisper executive apparently told reporters about a sex-crazed lobbyist in Washington DC who posted stuff using the software; the exec explained how the application was able to track which offices the lobbyist visited in the United States' capital, we're told.

"He's a guy that we'll track for the rest of his life and he'll have no idea we'll be watching him," the Whisper executive allegedly said.

The reporters, Paul Lewis and Dominic Rushe, were also told that the firm shares its data with British and American g-men when requested to do so, and shares the messages posted by some military personnel with the US Department of Defense. The startup is trying out the application in China, and will do the same kind of info disclosure to government officials in the Middle Kingdom if mandarins ask them, it's claimed.

The report also alleges that Whisper is keeping a log of all the posts made since its inception, despite claiming to only hold onto them for only a brief period of time. The Guardian claims Whisper rewrote a section of its privacy policy after it informed the firm it was going to publish an exposé.

Whisper roars back

The response from the California app maker has been swift and forthright, with Whisper's editor-in-chief taking to Twitter to protest the piece.

Yes, Whisper has an ed-in-chief because the site works closely with news outlets such as BuzzFeed and the Guardian, sharing juicy anonymous posts with newshounds to turn them into stories – hence the need to know where and when people are, which is the crux of Whisper's problem this week. It wanted to be a news source and a private messaging service.

The Guardian said it sent some of its reporters to visit the Whisper team, apparently uncovered the location tracking, bailed out of the partnership, and ran Thursday's story. In response, Neetzan Zimmerman, Whisper's editor-in-chief, bellowed:

First response: The Guardian's piece is lousy with falsehoods, and we will be debunking them all. Much more to come.

— Neetzan Zimmerman (@neetzan) October 16, 2014

Second response: The Guardian made a mistake posting that story and they will regret it.

— Neetzan Zimmerman (@neetzan) October 16, 2014

In a detailed rebuttal, the firm insists that if someone opts out of the location tagging, the upstart won't store that data – and for those who do sign up to geotagging, they'll be tracked to within 500 metres. As for tracking IP addresses, the Whisper team says that such data only provides a "very coarse location to be determined to the city, state, or country level."

The firm reiterates that it only stores users' messages for "a brief period of time," and says the data it does store isn't personally identifiable information – and that is stored in private, security-audited servers.

If users make a newsworthy claim, past posts are used to establish their veracity – which is telling about the "brief period of time" claim. We've seen posts on the site that are two weeks old. Anyway, if Whisper editors contact the user, they always identify themselves immediately, we're assured.

Whisper does comply with lawful requests for data from the Feds, it says, as all US companies are required to do, and said it shared data with the Department of Defense as part of a program to reduce military suicides.

As for China, the firm says it hasn't launched the app there yet, but says it always complies with local laws and regulations in the countries it operates in. In China's case, these same laws inspired Google to shift its servers off the Chinese mainland.

Whisper CTO Chad DePue also took to the message board on Hacker News to defend his app on technical grounds. He described IP tracking as "so inaccurate as to be laughable," and said that it was needed to deal with spammers. Any IP address data is deleted "after a brief period of time," he said.

As for allegations that the firm changed its terms and conditions just before the Guardian article went to press, DePue described this as "beyond silly." The terms and conditions changes had been under discussion for months, he claimed, and the changes were designed to make them easier to understand.

And yet…

But questions still remain over the amount of sensitive information Whisper gathers.

For a start, when users download the application from Google's Play Store, the software asks to for access to the user's identity, locations, Wi-Fi hardware and device ID information.

More worryingly, an analysis of the application's executable by security expert Jonathan Zdziarski shows code that appears to contradict Whisper's statements about that 500-metre location granularity.

Whisper instructs CoreLocation to get your location within 100 meters. That's hardly limiting it to just your city. pic.twitter.com/KBAwPwkUBk

— Jonathan Zdziarski (@JZdziarski) October 16, 2014

"That's the requested minimum accuracy," Zdziarski told The Register.

"There are a number of different options you can request from the [iOS] core location manager. It would seem that if they were really interested in just your city, they'd have requested it within a kilometer, at least. Those are Apple constants they're using; a kilometer option exists."

Whisper sent us the following statement:

Whisper does not collect nor store any personally identifiable information from users and is anonymous. There is nothing in our geolocation data that can be tied to an individual user and a user’s anonymity is never compromised. Whisper does not follow or track users. The Guardian’s assumptions that Whisper is gathering information about users and violating user’s privacy are false.

"For users who opt into geolocation services, the location information that we do store is obscured to within 500 meters of their smartphone device’s actual location," the upstart added. ®