
The ethics of the Guardian's Whisper bombshell - r0h1n
http://m.cjr.org/303546/show/fa2aa41c24bd3f6153bb074404b15eb1/?
======
PeterisP
Let me give a list of people who actually should be named and shamed here:

Everyone who had seen the stuff going on but didn't blow the whistle.

I understand the people who did the deed - according to the description "A
team headed by Whisper's editor-in-chief, Neetzan Zimmerman" \- they had some
rather obvious profit motivation. I understand the people at The Guardian -
they simply did the right thing. But everybody else at Whisper and their
guests and passersby who had seen this happen - you suck. If you see your
employer do slimy stuff, and put your "loyalty" as a reason to let it be, then
you're as slimy and deserve to be associated with the slime and blamed for it,
and I hope they're paying an appropriate price for selling your conscience.

If you see your acquaintance (or a company you're visiting or investing in)
doing bad stuff, and simply do nothing, then that's not calling being a
passive bystander - it's called being an accomplice, and you deserve to be
treated as co-guilty.

~~~
cle
Things are never that simple. There are often complicated situations that may
prevent people from blowing the whistle (for example, people with families
that rely on their income). It's never as black-and-white as you make it seem,
and automatically lumping everyone into the "guilty" or "evil" camp is
unjustified (unless you know the specifics of the people you're condemning?).

~~~
PeterisP
Of course, doing the right thing very often has a cost and self protecting
behavior is very natural.

I can very much understand why they likely chose to do a bad thing and I can't
claim that given their specific circumstances I woudn't do the same in their
shoes - but yes, it is still justified to claim that they _did do a bad
thing_.

Knowing the specifics of the people I'm condemning clarifies the justification
and reasons for behaving the way they did but it cannot make their conscience
clean. Having good personal reasons for behavior that hurts others is an
understandable mitigating circumstance, but the actions should still be
condemned by the wider society.

------
electromagnetic
Maybe if you're lying about your app and policies, it's probably not a good
idea to bring a newspaper into your offices! Especially when its blatently
obvious you're looking to use your app to either blackmail or leak this
information for your own gain.

The Guardian is a newspaper, it acted exactly how it should have.

If I knowingly invite a cop into my house and I've got a pound of cocaine on
my coffee table. Is it unethical for the cop to arrest me? No. They're a
fucking cop!

If you don't want people knowing shady parts of your business, don't invite
people who make a living publishing stories about shady goings on!

~~~
a3n
No, it's an excellent idea to bring in outsiders when you're lying! I hope it
catches on!

~~~
HillRat
I genuinely can't understand the thought processes of the nabobs who think the
Grauniad acted inappropriately here. My first response was, "Journalism is not
the priesthood," and considered it similar to interviewing Frank Underwood on
background and _not_ reporting on his history of blackmail and murder. But
it's really even simpler than that -- it's as if Nixon went on _Meet the
Press_ and started bragging on-air about black-bag jobs to Spivak. Under what
journalistic conventions _wouldn 't_ you report it out? Certainly makes you
wonder what Business Insider _isn 't_ reporting.

(By the way, I apologize -- I mis-clicked when upvoting your comment, and had
to upvote a few past comments to rectify the error. I posit my poor hand-eye
coordination is the result of either too many espressos or not enough; I'll
pull a few more shots and report back on the results.)

~~~
a3n
> By the way, I apologize

We'll get through this. :)

------
iamshs
It is appalling how brazenly Keith Rabois, Dan Primack and interestingly Henry
Blodget (charged with a civil securities fraud by SEC [1, 2]) acted publicly
and pinned moral blame on Guardian. Reeks like repeat of Gary Webb episode.

What is wrong with Guardian's reporting on Whisper's? As this article shows,
nothing at all. Good for them to break open this cabal and report user's best
interests, and not being worried about getting lampooned on by "new" media.
Good on CJR for this write-up, I very well appreciate it. Guardian acted like
journalists here.

[1] -
[http://www.sec.gov/litigation/complaints/comp18115b.htm](http://www.sec.gov/litigation/complaints/comp18115b.htm)
[2] -
[http://www.sec.gov/news/press/2003-56.htm](http://www.sec.gov/news/press/2003-56.htm)

Well i found this interesting article:-
[http://www.theregister.co.uk/2014/10/20/whisper_doorstepping](http://www.theregister.co.uk/2014/10/20/whisper_doorstepping)

------
snsr
It seems that Whisper is acting in a manner that is contradictory to almost
every claim they make about the service and software. Isn't this just spyware?

\- They track your location regardless of stated preferences

\- They store "anonymous" messages indefinitely

\- They share contents of said messages with the media when it's profitable
for the corporation

\- They freely share data with the US, UK and Chinese governments

\- They track users with a high potential for juicy posts "for life"

\- They lie about all of the above (though their terms have been updated since
the Guardian revelations)

~~~
zaroth
I think it's more nuanced than that. If geolocation is turned off, I don't
think they are pulling GPS data anyway. So they are not 'tracking your
location regardless of stated preferences' any more than every other site on
the internet. They don't track anything that isn't implicit in the functioning
of the internet -- i.e. an IP address.

Obviously they store the messages that their users submit to them. Their data
retention should be spelled out in their ToS, and it's not clear if they are
violating their own policies here. But take, for example, when Google a while
back made a very concerted effort to ensure that deleting an email in Gmail
actually meant the email would be deleted from all backups system-wide in some
reasonably short timeframe (some number of days/weeks). However, prior to
this, and in almost all databases worldwide, you will find that clicking
'Delete' doesn't actually remove the item from backups, and backups are kept
for quite a long time / indefinitely.

An anonymous post is not necessarily a secret post, they are two different
concepts entirely. I've never used Whisper, but when you post something there,
I believe it is _entirely public_. On the face of it, there should be no more
an issue sharing a tweet than sharing a whisper. To the following point, I
would need to understand what _private_ data they are sharing, not simply that
they are featuring specific public posts. If they do feature a post, it makes
sense for them to do some due diligence on the veracity of the claims.
Honestly, I'm not sure how I feel about them using GeoIP databases as part of
that diligence. If someone makes a post to Whisper without using Tor then they
have certainly given their IP address away completely willingly, but I'm not
sure what restrictions on use of that IP are expected by Whisper, or by any
site in general which logs IPs (all of them).

Whisper, very similar to Snapchat, both promise the impossible. If you
understand that technically their core feature is not actually possible, you
try to understand why do people use it anyway. Either they truly thought they
were getting the impossible, or there's value to the platform anyway. With
Snapchat, you can see how they are trying to reframe the issue from truly
secure ephemerality to simply a _user interface_ which focuses on the present
and discards the past. Similarly, Whisper is trying to reframe the issue from
truly secure anonymity, to simply a user interface which doesn't include
usernames / identity.

Unless you are a trained professional practicing perfect opsec, you _are not
anonymous on the internet_. It's wrong and potentially dangerous that Whisper
is making people feel like they are perfectly anonymous, but I almost wonder
why anyone on HN would be surprised by any of this? As a cryptographer, I
expect every piece of information I submit/leak to be used against me, so
given there's literally nothing about Whisper that provides any security
whatsoever, my expectation going into it would be that I am getting none. I
get that my perspective is completely different from the average user on this.

~~~
Zigurd
That's a bit like saying "I'm a nutritionist. How could not think most of the
aisles at the grocery store are out to kill you?"

~~~
zaroth
Food isn't supposed to kill you, but the internet definitely is supposed to
identify you. It's only through extraordinary measures that you can get on the
internet anonymously, but it would take extraordinary measures to kill
yourself eating at the grocery store.

If someone told me the corner grocery store was selling deadly food, I would
be just as likely to believe them as someone telling me that posting on
Whisper.sh keeps me securely anonymous on the internet.

~~~
titanomachy
> the internet definitely is supposed to identify you

If you have a rudimentary technical understanding of the internet, it's clear
that the default assumption should be that you're identified unless presented
with strong evidence/reasoning to the contrary. But what percentage of
internet users do you think have any technical understanding of the internet?
20-30 percent, maybe? To most people it's basically magic, and they have no
compelling reason to give any thought to how it works.

Regulations should be designed with the common user in mind, not the
technically proficient. If a company claims that they provide anonymity, they
should live up to that promise or be prosecuted for false advertising.

~~~
zaroth
I think the fact that this was as big of a story as it is shows us how poorly
people understand how privacy and anonymity work online.

The closer the general response to this story is "Well, duh" I think the
better.

------
mikeh1010
Scary to see so many journalists piling onto other journalists who are
actually doing their jobs in the public interest (but against corporate
interests). Reminds me of the "journalists" who were so fast to criticize
Glenn Greenwald for his NSA reporting.

~~~
matti3
Maybe they are afraid of compromising or losing unethical connection that they
may be nurturing with some of these companies.

------
slg
The Guardian acted perfectly ethically as a news organization.

The Guardian acted completely unethically as a business partner.

Another reason why introducing profit motives into a news organization is a
recipe for trouble. Conflicts of interest like this are just too common.

~~~
PeterisP
I'm going to have to disagree here.

If some other business partner was shown the same thing as Guardian but chose
to disregard it due to their business relationship, then I will consider them
as unethical themselves, much more so if they took any active measures to hide
it, such as a manager implying to their subordinate that they should keep
their mouth shut about their ethical feelings re: their partner's behavior.

------
api
People need to understand this. If an app or service is free and some
combination of:

(a) _At all_ expensive to run.

(b) Funded by investors who demand a return.

(c) Has no visible means of direct revenue.

... then you _REALLY_ need to ask the following question immediately before
deciding to use it or what to entrust it with:

"How is it monetizing _me_?"

If you see an app or service like this, you are the product. It's either
tracking you, spying on you, selling your data, somehow targeting you for
advertising, or doing something else of a similar nature.

~~~
Zigurd
This isn't as axiomatic as you might think. Eyeballs count more than revenue
in many cases, and can carry some ventures all the way through to liquidity
with no profit on the horizon. This is especially true in messaging apps where
building a network effect is a far higher priority than profit.

------
goodgoblin
Clearly what Whisper was doing was newsworthy, but at the same time I can
understand why other journalists would want to debate the issue since it could
impact one of their profession's building blocks ( on-the-record v.s. off-the-
record distinctions). The ethics around exceptions for similar tools such as
attorney-client privilege and doctor-patient privilege are subjects for
professional debate but what sets journalism apart is the number of people
impacted by the scope of their decisions. Would a majority of lawyers feel
compelled to alert the authorities in Whisper's case? Only if they were
committing fraud. Lawyers necessarily are privy to an incredible amount of
malfeasance, and no matter how troubled this knowledge might make them, their
function depends on their silence.

Would a majority of journalists would feel this story was damaging enough to
the public that they had an obligation to publish it? Probably.

Should we feel bad for the public personas who are being taken to task for
expressing an opinion that ended up on the wrong side of the issue? To some
degree, yes. While these avatars did seek out the relative fame that now
shames them, their mistaken logic forces the projection of humanity that
twitter and blogs represent to consider both sides, and pause.

~~~
lotsofmangos
Protecting your source and keeping stuff off the record only counts when your
source is passing on information about a story, not when your source is the
story.

edit - for example, if a journalist is investigating a crime and you offer to
give them information as long as it stays off the record and they agree, but
then you tell them you committed the crime they are trying to investigate,
they have no obligation whatsoever to keep what you said to them off the
record.

~~~
zaroth
No. Once you agree you are talking off the record, there's no going back on
that. In this case, however, I don't think anyone has claimed that Guardian
reporters were off the record.

What makes this an interesting case study in journalism ethics is that they
weren't off the record, but whether you can ethically act in your capacity as
a journalist in the middle of strategic business negotiations. The two are
opposing interests, so to the extent I think I'm in a business meeting with
The Guardian Company I'm probably also not thinking I'm the lead in their next
story.

To turn it around a bit more, would it be OK for Guardian to go into Whisper
under false pretenses, knowing they have no interest in a partnership, but in
order to gather facts for a story? Surely they are entitled to do that form of
investigative reporting, but likewise they shouldn't be surprised if that
blows back on them the next time they want to form a strategic partnership
with someone.

~~~
lotsofmangos
" _No. Once you agree you are talking off the record, there 's no going back
on that._"

Of course there is, for instance if someone was threatening to harm you or
others, it really wouldn't matter if you had agreed to keep things off the
record. There is a difference between professional discretion and complicity.

edit - you described the tactics they possibly used and the potential
strategic blowback, but ethically you answered your question for yourself
already when you conceded that they are entitled to do that form of
investigative reporting. They are a newspaper.

------
higherpurpose
So the Guardian was unethical because it exposed Whisper's unethical ways?

~~~
snsr
The linked CJR article concludes that the Guardian acted ethically and
responsibly.

------
mikeash
Sometimes I see something so bizarre and so different from my expectations
that I momentarily wonder if I've shifted into a parallel universe that's
subtly different from my own.

Apparently this is a universe where a lot of people think it's unacceptable
for journalists to report on information they learned in a business meeting. I
wonder what else has changed.

------
forgottenpass
All the journalist hand-wringing over the Guardian is exactly how we get the
milquetoast reporting we do these days.

I understand why someone wouldn't want to burn bridges, but when their
strategy for protecting access preempts any reporting ever, they cease to be
performing any journalistic function. They're just hangers-on.

------
marco1
Android needs App Ops back. We can't rely on shady for-profit companies to
protect our anonymity and privacy. Same for other operating systems, of
course.

------
e3pi
Got it. Guardian good, Whisper evil. What are the opportunities here, for our
hacking community and social engineers, what kind of exploitation of Neetzan
Zimmerman, using Whisper services, may be obtained for public humiliation,
hopefully legal prosecution, and ideally profit?

------
secfirstmd
My general formula for journalism.

IF Public Interest >= Physical + Mental Damage / Reputational Damage to
"source" THEN = Publish ELSE redact LOOP

~~~
jeremysmyth
This leads to an obvious problem with the definition of "public interest": A
very large proportion of the public is interested in what goes on in the
bedrooms of celebrities. I'm not sure I could support that definition of
"public interest" in this equation.

~~~
secfirstmd
Agreed. Public interest is a very difficult to define - Snowden vs Celebrate
gossip etc. I was being looking for a distraction and was doing a bit of a
thought experiment :)

~~~
pooper
if (anthonyWeiner.status == published) { publish(JenniferLawrenceStory); }

Many have expressed doubt that the media reaction would be the same if Kristen
Stewart's photos were leaked instead.

