

How Whisper app tracks ‘anonymous’ users - blackRust
http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app-tracking-users

======
r0h1n
What amazes me is that all of this information came voluntarily _from
Whisper_.

> _The Guardian visited the Whisper offices to consider the possibility of
> undertaking other journalistic projects with the company and sent two
> reporters last month to look in detail at how the app operates. At no stage
> during the visit were the journalists told they could not report on the
> information shared with them._

What kind of a company invites journalists from a newspaper known for its
investigative/muckraking skills, and then hands over their secret sauce along
with such gems:

> _Separately, Whisper has been following a user claiming to be a sex-obsessed
> lobbyist in Washington DC. The company’s tracking tools allow staff to
> monitor which areas of the capital the lobbyist visits. “He’s a guy that
> we’ll track for the rest of his life and he’ll have no idea we’ll be
> watching him,” the same Whisper executive said._

> _The Guardian is no longer pursuing a relationship with Whisper._

Well, no shit Sherlock!

~~~
mpyne
> What kind of a company invites journalists from a newspaper known for its
> investigative/muckraking skills

I can only guess, but I'd be willing to bet it's because of a mistaken idea
that "we're on the same side", therefore any reporting by Guarding would
almost certainly end up positive.

> and then hands over their secret sauce along with such gems:

... but yeah, I've got nothing, other than what were they thinking? I mean,
_I_ like the idea of keeping tabs on bad people, but then I'm not the one
running a website that claims I won't track people.

~~~
apls23
In this situation it was in Whisper's interest to sell their ability to locate
users as precisely as possible, they were obviously too keen to do so.
Journalists value Whisper's user's content because they can be sure that it
comes from a military base, for example, if their location tracking tools are
precise.

------
rubyrescue
I'm the CTO of Whisper. This is really bad reporting. A few notes:

1\. we use a legacy maxmind geoip database so we can put the whisper in a
general location. that is so inaccurate as to be laughable. for instance, my
current IP using our service says "USA", though I'm in Venice, CA. This is
hardly a privacy violation, and it's really important for a bunch of reasons:

a) The whisper needs to actually appear in the app, and it won't appear
without some general location. The % of all Whispers which are tagged as
somewhere in the middle of Kansas because we don't really know where they are
(but we know they are in the US) is very high. This is not a scandal.

b) We want to know where a user is in a general sense for things like tracking
timezone so when we send pushes we know not to send pushes at 3 in the
morning. you'd be surprised how often device timezone may not always match
with physical location.

c) We use general location to determine things users may be interested in.
folks who post in lower manhattan may see different results than people in
College Station, TX, over time.

d) We have a lot of anti-spam technology, and what IP you posted from, and
what country that IP is in, is important. I can't elaborate on this but it's
incredibly logical why we would use that information for things like keeping
the app from filling with spammy garbage.

e) We throw away the IP you used to create the whisper after a brief period of
time.

2\. We've been working with researchers at a local university to ensure the
anonymity around location was such that they couldn't determine groups of
whispers from the same user. They contributed to our randomization algorithms
and provided suggestions around security.

3\. We fuzz location even more than this on write and on reads. We randomize
it based on the observer who asks for the location, and we randomize it BEFORE
WE SAVE IT TO OUR DATABASE. In other words, we don't actually know where the
user was once the whisper is saved, and we can't even tell later.

4\. The guardian's reporting that we changed our terms of service in response
to the article is beyond silly. I am happy to show a screenshot of the email
chain between myself and our lawyers back in July. The entire point of
updating the TOS was to make it clearer and easier to read, not to protect
ourselves or give ourselves more rights to user data. It takes MONTHS to get
things like TOS write for an app like Whisper, and we take it seriously.

5\. Edited to add... We just don't have any personally identifiable
information. Not name, email, phone number, etc. I can't tell you who a user
is without them posting their actual personal information, and in that case,
it would be a violation of our terms of service.

~~~
moxie
Based on your own comments here, it sounds like the reporting is entirely
accurate. You're attempting to justify why you're tracking your users, but
you're still tracking them.

You've highlighted many of the hard problems in this space: how do you achieve
anonymity and unlinkability while doing things like IP hiding, spam filtering,
and relevance matching? The issue is that you haven't solved the problems, and
are instead suggesting you should get a pass because the problems are hard. It
seems simple to me: if you haven't designed something that gives you truly
unlinkable anonymity, don't claim to provide it. If you have to track your
users to make your app work, don't claim not to track your users.

There are projects like Tor that are approaching these types of problems
seriously, but apps like Whisper or Secret end up poisoning the well and
confusing users. There's a huge difference between "can't" track and "won't"
track. Right now you're claiming "can't," but it sounds like you're squarely
in the "won't" category of having your servers "avert their eyes." I think
this understandably makes people uneasy, particularly given the data mining
direction it sounds like the company is headed.

~~~
secfirstmd
Moxie,

Nothing I like more than watching you destroy snake-oil companies endangering
user privacy, like this one and also Telegraph etc. Let's hope
TextSecure/Redphone/Signal when they merge into one brand will get the amount
of users they really deserve. This stuff is never just about gossip in
Washington DC, it's always about the bigger picture of people in Sudan, China,
Russia etc who are led into a false sense of security.

Man, I would love to see some of the pushers of this snake oil software crap
in court some day as a result of the dangers they often knowingly expose their
users to.

BTW - I've been meaning to drop you a secure mail about some other stuff but
will do it next week.

~~~
ssully
Do you have any links about Telegraph endangering user privacy? I had a friend
try to get me to start using it. I haven't really had time yet to do a lot of
research on it and would love some insight if they are fishy at all.

~~~
secfirstmd
[http://www.thoughtcrime.org/blog/telegram-crypto-
challenge/](http://www.thoughtcrime.org/blog/telegram-crypto-challenge/)

[https://news.ycombinator.com/item?id=6936539](https://news.ycombinator.com/item?id=6936539)

~~~
ssully
Thanks for providing these links. Very interesting stuff.

I heard about Telegram after it's rise in popularity in Asian countries; shame
that they have (BIG) issues like this.

------
doe88
Note: _Whisper app_ != _Open Whisper Systems_

(Completely unrelated)

~~~
secfirstmd
Definitely an important point.

I love the work of Open Whisper Systems, Redphone/TextSecure/Signal is
brilliant. I hope the completely get the number of users they deserve when
they merge under the one brand.

------
scw
> The Guardian witnessed this practice on a three-day visit to the company’s
> Los Angeles headquarters last month, as part of a trip to explore the
> possibility of an expanded journalistic relationship with Whisper.

So they look to partner, don't like what they see and turn it into a story?
Whisper has two problems: violating its users' trust, and letting an external
group in without an agreement in place. The Guardian also looks bad flipping
this into a lede in my mind.

~~~
pessimizer
>The Guardian also looks bad flipping this into a lede in my mind.

The Grauniad would look bad for claiming to be journalists and not reporting
on this.

edit: really? Journalists, not under any 'off-the-record' or non-disclosure
agreements, seek to partner with an app that allows anonymous communication,
and finds that it's tracking it's users, storing all information, ignoring opt
outs, and funneling information to governments.

They shouldn't report this because what? They should report this even if they
are not journalists, but have a moral center.

~~~
secfirstmd
Agreed. The overwhelming public interest was served by The Guardian publishing
it.

------
agd
So even if you disable the location feature it still tracks your location? I'd
be interested what they mean by 'broad location tracking' but I can't imagine
that it's consistent with their anonymity claims. e.g. see
[http://www.nature.com/srep/2013/130325/srep01376/full/srep01...](http://www.nature.com/srep/2013/130325/srep01376/full/srep01376.html)

~~~
yva
I'm the author of this paper and I absolutely agree. If you keep identifiers,
simply blurring the location isn't enough to address the risks of re-
identification
([https://twitter.com/yvesalexandre/status/524219573650722817](https://twitter.com/yvesalexandre/status/524219573650722817)).

Re-identification is a very different risk than the one considered by the UC
Santa Barbara researchers in Wang, Gang, et al. "Whispers in the Dark:
Analysis of an Anonymous Social Network." (2014).

------
barnaby
Aren't Open Source privacy apps more preferable? Shouldn't we all be talking
about ChatSecure, Redphone, Textsecure, Mailvelope, Cryptocat, GPG, EnigMail,
etc.? And about the companies that offer these programs as a service?

While it's not a guarantee of privacy, open source does significantly increase
the likelihood that invasions of privacy and security vulnerabilities can be
discovered by enthusiasts and journalists. Right? Wouldn't that be preferable
when selecting a privacy app?

~~~
kbart
Of course, but common users don't have technical knowledge to know the
difference, so they depend purely on marketing and trust (I guess "the safest
place on internet" here did it's trick). It's good that mainstream media
finally starts paying attention to the privacy, maybe it will make non-
technical user to think twice before trusting such bullshit apps/services.

------
someoneelsetoo
Anonymous - no way. A small amount of location tracking + the additional data
any agency and many others can easily access will easily identify an
individual. I read the UCSB paper referenced by the Whisper CTO - it just said
there was a hard problem Whisper was trying to do something about. The paper
also said that each user had a permanent GUID. So if I, with my GUID, get on a
plane from SFO to (say) Santa Fe on one particular day - the GUID use moving
will make it clear I have taken a plane - then the agency (or perhaps my
credit card issuer?) will get the candidates for my GUID down to a few hundred
at most just from that move and the passenger list (or ticket purchase
records). Coupled with my GUID's home city and work city and they probably
have me nailed - just like that. Trivial.

------
forgottenpass
I've always suspected that the standard rationalizations about modern user
tracking (not _technically_ PII or assuming your data won't be analyzed
outside the aggregate) were feel good nothings. At least I have something
concrete to point to now when I say it's all bullshit.

------
shiven
All I have to say is, Thank you Guardian!!!

And, oh, screw this app.

I wouldn't recommend it to anyone. Or any other _claimed_ secure/anonymous
app, that does not have the "Moxie Marlinspike seal of approval"(TM)!

------
krigi
I'm not upset or surprised by this. However, it's not the tracking Whisper and
similar apps do that upsets me; it's the trashy content and vituperative
gossip produced by their users.

------
socrates2015
The central business model of our tech times is converting data into money.
The eternal pressure will be to gather more and more data over time since that
will result in more money.

------
blueskin_
A fool and his privacy are soon parted.

