Why weasel words might not work for Whisper

CEO suspends editor but privacy questions remain

Analysis Whisper's CEO has attempted to undercut criticism of his company by suspending its editorial team and penning a lengthy response to accusations of privacy abuses and user tracking.

Editor-in-chief Neetzan Zimmerman, as well as an undisclosed number of staff have been put on leave "pending the results of our internal review," CEO Michael Heyward wrote in a post titled "Setting the Record Straight."

Heyward continues to deny a range of privacy violations highlighted in articles earlier this month, noting that "much of The Guardian's reporting on this issue has been highly misleading or just plain wrong."

The response provides answers to 10 questions published by the same Guardian journalists in response to the news that Senator Rockefeller had sent a letter to Whisper asking for a briefing on its privacy policies.

Those answers attempt to distance Whisper from the main thrust of the complaint - that Whisper tracks its users' locations and provides details to media outlets and government agencies - by suggesting that neither the Guardian journalists nor its own editorial team understood the finer technological points and so made misleading claims and statements.

"Many of [The Guardian's] claims arise from the fact that they made technology-related inferences based on discussions with non-technical people," reads one part of the response. In another: "Neetzan's reaction to the Guardian's allegations has taken away from the substance of the issue."

Pulling troublesome claims into the finer points of technology or policy is a tried-and-tested way to kill interest in a story. Fortunately, at The Reg we love digging into a tech policy discussion and emerge holding aloft the Shovel of Truth.

To make things simpler, we're going to use Whisper's own posts to explain.

Promoting itself as “the first completely anonymous social media network” and “the safest place on the internet”, Whisper allows you to type messages top of an automatically chosen picture and post it publicly.

The app has proved hugely popular, not least because users felt it was a safe environment to share their innermost thoughts.

How was this whisper "found"?

Whisper soon discovered that these thoughts were also newsworthy and so it developed partnerships with a number of outlets including The Huffington Post, Buzzfeed, and The Guardian covering issues such as virginity at university and, as the Whisper post above shows, sexual assault in the military.

Whisper told Buzzfeed it had vetted all the posts made about sexual assault in the military, removing any it thought were bogus. But of the 23 posts in that story, five of them came from people that had specifically opted out of geolocation.

The Guardian is quite clear that based on conversations it had had with Whisper executives that it believes this verification was done by checking the location of the poster at the time of the post and both before and subsequently. In other words, by tracking the "anonymous" user to see if they had been near military bases or other similar locations that would lend veracity to the post.

Whisper's CEO claims the explanation is much less sinister. "These Whispers were vetted based on keywords in the post, so it's not surprising that the article includes some public Whispers that do not include location," he argues.

Note that he does not say that location data was not used to verify the authenticity of the posters but that "keywords" were a key component. And that claim does appear to be borne out in the majority of the posts: in nearly every case the same words appear: 'sexual assault', 'military', 'army', 'rape' and so on.

The post above has no mention of these keywords. Instead it reads: "I reported it. I saw him every day for 2 months. At the Article 32 I was told that my character was in question and I wasn't drunk enough. He got promoted and away with it." The only possible connection to sexual assault in the military is "Article 32", which is army shorthand for a preliminary hearing.

Each Whisper post contains approximate details of where the post was sent. In this case it reads "somewhere" - meaning that the user had specifically turned off geolocation. So just how did Whisper track down this post?

According to the Guardian's journalists - who, far from Heyward's assertions, were actually shown the technology and encouraged to play around with it - employees are able to search the companies database in a number of different ways: content, geolocation, IP address (if geolocation is turned off) and past and current posts from that user.

Whisper claims that the IP addresses it stores only gives a very approximate sense of where someone is located: something that is both true and profoundly misleading.

While geolocation data can place you within a few feet of where you are standing (extremely useful when you are using Google Maps for directions or Yelp to find the closest sandwich shop to you); IP addresses will often only give you an approximate area.

Except, that is, if someone has a dedicated IP address (which many people, especially gamers, do) or if your device is using an IP address that does not come from a commercial ISP (like most large companies, and nearly all military bases and universities,) in which case it's far more accurate.

For fairly obvious reasons, military compounds have their own networks and IP addresses (in fact here is a long list of them). So do universities. Both are often self-contained spaces - you rarely wander onto a university campus unless you are a student and you will be physically prevented from entering most military bases unless you have the right ID.

So if you are keeping a record of the IP address from where a message is posted - and Whisper is - and that message is sent over the phone connected to the network on base or campus, you can be pretty much 100 percent certain that that person is military personnel or a student.

Is it just coincidence that the vetted posts that Whisper has supplied to its partners - which include the Department of Defense - have come from college campuses and military bases? If so, it is one of a startling number of coincidences.

Sponsored: Becoming a Pragmatic Security Leader

Next page: Other details



Biting the hand that feeds IT © 1998–2019