1. we use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable. for instance, my current IP using our service says "USA", though I'm in Venice, CA. This is hardly a privacy violation, and it's really important for a bunch of reasons:
a) The whisper needs to actually appear in the app, and it won't appear without some general location. The % of all Whispers which are tagged as somewhere in the middle of Kansas because we don't really know where they are (but we know they are in the US) is very high. This is not a scandal.
b) We want to know where a user is in a general sense for things like tracking timezone so when we send pushes we know not to send pushes at 3 in the morning. you'd be surprised how often device timezone may not always match with physical location.
c) We use general location to determine things users may be interested in. folks who post in lower manhattan may see different results than people in College Station, TX, over time.
d) We have a lot of anti-spam technology, and what IP you posted from, and what country that IP is in, is important. I can't elaborate on this but it's incredibly logical why we would use that information for things like keeping the app from filling with spammy garbage.
e) We throw away the IP you used to create the whisper after a brief period of time.
2. We've been working with researchers at a local university to ensure the anonymity around location was such that they couldn't determine groups of whispers from the same user. They contributed to our randomization algorithms and provided suggestions around security.
3. We fuzz location even more than this on write and on reads. We randomize it based on the observer who asks for the location, and we randomize it BEFORE WE SAVE IT TO OUR DATABASE. In other words, we don't actually know where the user was once the whisper is saved, and we can't even tell later.
4. The guardian's reporting that we changed our terms of service in response to the article is beyond silly. I am happy to show a screenshot of the email chain between myself and our lawyers back in July. The entire point of updating the TOS was to make it clearer and easier to read, not to protect ourselves or give ourselves more rights to user data. It takes MONTHS to get things like TOS write for an app like Whisper, and we take it seriously.
5. Edited to add... We just don't have any personally identifiable information. Not name, email, phone number, etc. I can't tell you who a user is without them posting their actual personal information, and in that case, it would be a violation of our terms of service.
You've highlighted many of the hard problems in this space: how do you achieve anonymity and unlinkability while doing things like IP hiding, spam filtering, and relevance matching? The issue is that you haven't solved the problems, and are instead suggesting you should get a pass because the problems are hard. It seems simple to me: if you haven't designed something that gives you truly unlinkable anonymity, don't claim to provide it. If you have to track your users to make your app work, don't claim not to track your users.
There are projects like Tor that are approaching these types of problems seriously, but apps like Whisper or Secret end up poisoning the well and confusing users. There's a huge difference between "can't" track and "won't" track. Right now you're claiming "can't," but it sounds like you're squarely in the "won't" category of having your servers "avert their eyes." I think this understandably makes people uneasy, particularly given the data mining direction it sounds like the company is headed.
Nothing I like more than watching you destroy snake-oil companies endangering user privacy, like this one and also Telegraph etc. Let's hope TextSecure/Redphone/Signal when they merge into one brand will get the amount of users they really deserve. This stuff is never just about gossip in Washington DC, it's always about the bigger picture of people in Sudan, China, Russia etc who are led into a false sense of security.
Man, I would love to see some of the pushers of this snake oil software crap in court some day as a result of the dangers they often knowingly expose their users to.
BTW - I've been meaning to drop you a secure mail about some other stuff but will do it next week.
I heard about Telegram after it's rise in popularity in Asian countries; shame that they have (BIG) issues like this.
Very unfortunate indeed, people may have misunderstood my recommendations of the foremost as recommendations of the latter.
Good to see a very public lambasting.
You act like this is a deliberate violation of privacy. I don't know what to say, except that you're wrong.
If you ask a question, you consent to be "tracked" to the extent necessary to deliver an answer to you. On the internet, that means IP address.
I don't think it's a deliberate violation of privacy to operate a website, but I do think that it's a violation to operate a normal website and call it "anonymous." Because, as you point out, it's not.
Not only does it confuse users in the immediate sense, but it poisons the well for everyone who is approaching the problems seriously in the long term.
Does this app pretend at any point that its operators couldn't identify users if they wanted to? That would be dishonest. But what word do you expect them to use for "your name will not be published" besides "anonymous"?
Where on Whisper's site do they say "this site is anonymous, but it is not safe enough to publish anything with legal implications"? I looked.
With regards to the MaxMind Legacy databases (which are updated every Tuesday) the following accuracy is tested by MaxMind and presented on their website:
Correctly Resolved Incorrectly Resolved Unresolved
GeoLite2 City 75% 14% 12%
GeoIP2 City 84% 13% 3%
GeoIP2 Precision City. 84% 13% 3%
Accurate enough to pin-point a particular place in Washington D.C. it seems. 75%/84% isn't bad.
I honestly can't understand that denial. The Guardian visited your offices and they were allowed access to the tool you deny exists and they took screenshots of posts from your users who posted from the Whitehouse. By the sounds of it someone at your company naively showboated the capabilities of your system to a journalist, demonstrating features that are completely contrary to your mission statement.
You then come here and try and deny the whole thing as if we are idiots.
I normally error on the side of caution, but I truly can't see how you can defend against the overwhelming evidence.
Are you stating that the screenshots are fabricated?
As per the screenshot with the caption:
A Whisper user posted this message from the vicinity of
the White House. The red dots indicate Whisper messages
sent from that location. Potentially identifying
information has been redacted by the Guardian.
> “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him,” the same Whisper executive said.
Is that a quote that the Guardian invented from whole cloth, or is that how you see your users?
Also, just because your maxmind geoip database is crap doesn't mean that the DOD or whoever you're selling information to doesn't have a better one.
> A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.
This paragraph may imply something more ominous, i.e. that users are being tracked despite geolocation being turned off...I'm assuming that's not the case...but would you say that the users in this scenario are aware that their data is being analyzed at this granular level for news and research purposes by third parties?
Recently, there was a paper by researchers at UCSB on anonymity on Whisper (Page 10, Section 7). I must say that Whisper seems to have mitigated the attack presented in the paper.
As the CTO of this woefully "under-capitalized" startup, you surely must be living hand to mouth.
Forgive me, but the fact is you are working with the DoD while claiming to offer users anonymity.
So egregious are your company's violations of trust with its userbase that it warranted the Guardian publicly shaming your entire enterprise.
> This is not a scandal
You're right, it's not a scandal. It's a demolition derby.
Do your emails specifically detail the changes the Guardian discusses, and an October 13-ish timeline for publishing them? Maybe you were planning on changing the ToS since July, but that doesn't mean anything in relation to the content, nature, or timing of the change you just released.
> we use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable... The % of all Whispers which are tagged as somewhere in the middle of Kansas because we don't really know where they are (but we know they are in the US) is very high.
> We want to know where a user is in a general sense for things like tracking timezone so when we send pushes we know not to send pushes at 3 in the morning. you'd be surprised how often device timezone may not always match with physical location.
So, "Chill everyone, we get 'USA' and just plot it randomly." then "Our location algorithm is accurate enough that we override the user's timezone selection, despite 'USA' spanning 6-9 timezones and multiple Daylight Savings permutations."
This has got to be the dumbest instance of the inflationary hyperbolic use of "incredibly" I have ever read. Incredibly incredible!
I am happy to see!