Whisper keeping schtum over abuse of user data

Editor leaves "anonymous" app company but questions remain

Former editor of "anonymous" app Whisper, Neetzan Zimmerman, has left the company and joined Washington DC rag, The Hill.

Zimmerman was at the center of a controversy late last year when it was revealed Whisper was tracking its users, even those that had specifically asked not to be followed, in order to provide news fodder to media partners.

When the service's practices were exposed, Zimmerman went on an online tirade saying the claims were false, but later backtracked.

Zimmerman was placed on "administrative leave" pending an internal review: a review that CEO Michael Heyward said this week had "found no wrongdoing".

Despite the move, though, significant questions remain over Whisper's past actions.

FTC probe

The company has refused to say anything since October and is believed to be the focus of an ongoing investigation by the Federal Trade Commission (FTC) looking into whether it misled users and failed to gather sufficient consent to track their movements.

The ability to track users was in direct conflict to the company's explicit marketing messages about being the "first completely anonymous social media network" and were not covered by its privacy policies, which were swiftly updated by the company after its activities were reported by The Guardian newspaper.

The Guardian claims Whisper changed its terms of service and privacy policy four days after the newspaper approached it for comment, rewriting entire sections and creating a new privacy page.

Whisper vigorously denies that, not least because if true it would immediately run foul of the FTC and could be subjected to the same actions that the agency has taken with a number of internet companies, most recently Snapchat.

In the Snapchat case, the FTC found that "the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data", and that it "made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked". Precisely the same charges leveled against Whisper.

Snapchat escaped without a fine - although they can extend into the millions of dollars - but its privacy policy will be monitored and audited by the FTC for the next 20 years.

Holes

Even though Whisper's senior executives claim the policy changes they made were not as a result of the Guardian's story and had been a long time in the preparation, significant and unanswered questions remain.

CEO Heyward claims that the changes were "finalized" in July in order to be published in October. He later adjusted his story and said they were finalized in July and went through legal review in August. He then released an email string [PDF] between Whisper executives and the out-house lawyers and two documents that he claims are the same ones that are referred to in that email string.

The documents that Whisper claims were the same ones attached to the emails reflect the current policies on the website that were introduced in October, following the Guardian story.

It is hard to verify the truth of this sequence of events however because the entire email conversation is redacted and the two documents, while they appear to have the same file name, are provided separately and as PDF files, rather than the original Word docx format which would contain formatting time and date information.

Tellingly, the two redline documents quoted in the emails are not provided. Possibly because a PDF of a redline Word doc would contain date information that may not gel with Whisper's story.

Another suspicious part of Heyward's story is his claims that the company did not update its terms of service in September - the opposite of what The Guardian reported. If it is shown to have done so, it would undermine the company's argument that the changes were already in the works.

And yet we have a copy of the Terms of Use that states clearly at the top "Updated 2014-09-15": 15 September. This would suggest that Whisper did in fact change its policies only after it was approached by The Guardian and so was improperly accessing its users' data.

And now IP addresses

Unfortunately, that’s not the only suspicious policy change that Whisper has made and then claimed was already in place.

While defending his company last year, CEO Heyward repeatedly highlighted that the company only keeps the IP addresses of its customers for seven days.

"The entire internet collects IP addresses," he told the WSJD conference. "That's like trying to make a phone call without a phone number. The difference with Whisper is that we delete them after seven days. But to try to infer that because you have IP addresses means that your tracking users' GPS who opted out of GPS is just really highly sensationalist and really misleading to our users and to their readers."

As we pointed out at the time, IP addresses can be extremely helpful in identifying where people are located. Particularly if they are on an army base or a university campus which almost always have their own IP network. By coincidence, the stories behind the furore in the first place centered around users that were in the military or at university.

What makes Heyward's argument suspicious is that there was never any mention of Whisper IP-deletion policy before it was reported that the company was using IP addresses to track users that had turned off the app's GPS tracking.

So we asked Whisper point-blank when the IP-deletion policy had been introduced. We spoke to senior VP of content Eric Yellin and asked about the policy. He asked us to send an email with the request. So we sent an email to both him and the company's CTO Chad DePue. We are still waiting for a response. ®

Sponsored: What next after Netezza?

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER




Biting the hand that feeds IT © 1998–2019