
Preliminary Findings on Whisper - jzdziarski
http://www.zdziarski.com/blog/?p=4056
======
Animats
The important conclusion:

 _The core platform this application appears to be designed on is Fiksu
([http://www.fiksu.com](http://www.fiksu.com)). Fiksu’s describes themselves
as a “user acquisition” company, focused on analytics, social tracking,
advertising, incent, and interest mining. ... Unlike most applications that
incorporate analytics packages as a secondary module, it appears that Whisper
is built on top of the Fiksu platform, where Fiksu acts as the primary
application delegate, and the social networking element of Whisper acts as
secondary to the application’s subject tracking and analytics core._

Putting the users unique Whisper ID into the EXIF data of uploaded pictures -
now that was sneaky.

~~~
RexRollman
I've never heard of that company before. That that link is disturbing. It
makes me wonder how many apps are doing the same thing as Whisper.

------
fapjacks
I interviewed there some time ago. I saw the internal system they're talking
about, and the attitude there indeed is that they're tracking users
(specifically their locations, timestamps and previous posts, but they are
able to distinguish discrete users using these metrics). What actually made my
spidey sense tingle during my site visit was a weird sort of groupthink there.
I interviewed at many places, but at Whisper I got the distinct feeling of
collective hivemind. The kind where one guy can get away with saying, "Do the
village. Do the whole fucking village." For what it's worth, I'm not sure they
as a group (at the lowest levels) feel/felt they were committing any
wrongdoing by labeling it "anonymous" while also simultaneously tracking users
down to location, timestamp, and post on this big internal map. But the guys
in charge understand exactly what they're into. Also they're at least aware
that they are tracking users on military bases, since that conversation came
up. For what it's worth.

------
corbanr
FYI
[https://twitter.com/whispersystems/status/522795025189462016](https://twitter.com/whispersystems/status/522795025189462016)

~~~
MichaelGG
Rather than just a link to Twitter, why not point out that this Whisper app is
not the same as Whisper Systems, which makes TextSecure.

------
MichaelGG
On Android, Whisper requires permissions to read your device serial number,
and the phone numbers you call or that call you. This is in addition to many
other permissions.

Is there any legitimate need for Whisper to have serial numbers and the phone
numbers that users call?

------
bkeroack
If Whisper were dedicated to providing a strongly anonymous social networking
service to users, it would likely be structured as a nonprofit/not-for-profit
organization like the Tor Project (for example). Given that it is a VC-backed
startup, I would expect them to be collecting analytics at the very least.

~~~
spacefight
VC backed with 60m... Can't believe it.

~~~
jgalt212
I'd pay way more than $60m to learn the world's secrets. Unfortunately, for
the VCs, it seems the world has learned Whisper's secret as well.

------
snowwrestler
> While traditional IP address based tracking provides plausible deniability
> only to the network endpoint, these unique identifiers provide positive
> identification of the device that, given fingerprint and/or passcode
> authentication, can also serve as positive identification of an individual,
> eliminating any plausible deniability of the user’s identity.

Can any lawyers versed in this area of the law comment on whether something
like a phone can ever be "plausibly deniable" absent obvious evidence of
theft?

Or comment on the concept of "plausible deniability" as a useful legal defense
in general? I'm dubious that it offers any meaningful protection,

~~~
TillE
If it weren't a meaningful protection, Freenet would have been shut down a
long time ago, and all users arrested. Freenet's architecture seems like a
reasonably good technical solution to a legal problem, by making it very
difficult to distinguish between who requested data and who merely routed it.

But it's ludicrous for Whisper to deny that an IP address and timestamp isn't
personally identifying information. To law enforcement or anyone else you have
to worry about, it's close enough.

------
scintill76
I read the Whisper CTO's StackOverflow link[0], and
kCLLocationAccuracyHundredMeters does seem like the most conservative GPS-
enabled choice, but IMO it still raises questions about why GPS accuracy is
required, and why they didn't fuzz the location app-side.

Also all the analytics stuff is troubling, in an app that supposedly focuses
on privacy.

[0] [https://stackoverflow.com/questions/3411629/decoding-the-
cll...](https://stackoverflow.com/questions/3411629/decoding-the-
cllocationaccuracy-consts)

------
no_future
Why did people suddenly realize now that there is something fishy going on
with a LOCATION BASED APP that claims to be anonymous and privacy-oriented?

------
aw3c2
_Please turn JavaScript on and reload the page. DDoS protection by CloudFlare_

What the hell? I just want to read a random page.

------
TheLoneWolfling
> Please turn JavaScript on and reload the page.

> DDoS protection by CloudFlare

No other content on the page.

Anyone have the article in a readable form?

------
felixgallo
this blog post was so awful it made me cringe.

"The application incorporates pieces of various analytics packages, including
those from Fiksu, Facebook, and some proprietary logging. As a result, it is
likely possible that all activity within the application can be collected,
including user taps, application activity time, hours of use, and even
potentially unsent content typed in by the user. I have not made any attempt
to specifically identify what analytics are active in the app; I am speaking
of the capabilities of most analytics packages in general."

This app includes third party libraries. Therefore it could do anything. I
didn't check.

Shameful.

~~~
me_again
The app contains third party libraries _specifically designed for user
analytics_. Therefore, maybe it might be using them to gather information
about how users use the app. Why else deploy them - for fun?

In the context of an app which is "committed to being a safe place for our
users to anonymously share their innermost thoughts"
([http://whisper.sh/privacy](http://whisper.sh/privacy)) that is interesting,
if not conclusive.

I don't see anything disgraceful about publishing that information. A full
security investigation of an app from a security firm costs $'000s - you can't
expect a definitive rundown for free.

~~~
felixgallo
specifically designed for analytics. Not necessarily user-level, human-level
analytics. The chinstroking that follows was risible consultancy-baiting.

