What amazes me is that all of this information came voluntarily from Whisper.
>The Guardian visited the Whisper offices to consider the possibility of undertaking other journalistic projects with the company and sent two reporters last month to look in detail at how the app operates. At no stage during the visit were the journalists told they could not report on the information shared with them.
What kind of a company invites journalists from a newspaper known for its investigative/muckraking skills, and then hands over their secret sauce along with such gems:
>Separately, Whisper has been following a user claiming to be a sex-obsessed lobbyist in Washington DC. The company’s tracking tools allow staff to monitor which areas of the capital the lobbyist visits. “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him,” the same Whisper executive said.
>The Guardian is no longer pursuing a relationship with Whisper.
> What kind of a company invites journalists from a newspaper known for its investigative/muckraking skills
I can only guess, but I'd be willing to bet it's because of a mistaken idea that "we're on the same side", therefore any reporting by Guarding would almost certainly end up positive.
> and then hands over their secret sauce along with such gems:
... but yeah, I've got nothing, other than what were they thinking? I mean, I like the idea of keeping tabs on bad people, but then I'm not the one running a website that claims I won't track people.
I love the work of Open Whisper Systems, Redphone/TextSecure/Signal is brilliant. I hope the completely get the number of users they deserve when they merge under the one brand.
> The Guardian witnessed this practice on a three-day visit to the company’s Los Angeles headquarters last month, as part of a trip to explore the possibility of an expanded journalistic relationship with Whisper.
So they look to partner, don't like what they see and turn it into a story? Whisper has two problems: violating its users' trust, and letting an external group in without an agreement in place. The Guardian also looks bad flipping this into a lede in my mind.
>The Guardian also looks bad flipping this into a lede in my mind.
The Grauniad would look bad for claiming to be journalists and not reporting on this.
edit: really? Journalists, not under any 'off-the-record' or non-disclosure agreements, seek to partner with an app that allows anonymous communication, and finds that it's tracking it's users, storing all information, ignoring opt outs, and funneling information to governments.
They shouldn't report this because what? They should report this even if they are not journalists, but have a moral center.
So even if you disable the location feature it still tracks your location? I'd be interested what they mean by 'broad location tracking' but I can't imagine that it's consistent with their anonymity claims. e.g. see http://www.nature.com/srep/2013/130325/srep01376/full/srep01...
Re-identification is a very different risk than the one considered by the UC Santa Barbara researchers in Wang, Gang, et al. "Whispers in the Dark: Analysis of an Anonymous Social Network." (2014).
Aren't Open Source privacy apps more preferable? Shouldn't we all be talking about ChatSecure, Redphone, Textsecure, Mailvelope, Cryptocat, GPG, EnigMail, etc.? And about the companies that offer these programs as a service?
While it's not a guarantee of privacy, open source does significantly increase the likelihood that invasions of privacy and security vulnerabilities can be discovered by enthusiasts and journalists. Right? Wouldn't that be preferable when selecting a privacy app?
Of course, but common users don't have technical knowledge to know the difference, so they depend purely on marketing and trust (I guess "the safest place on internet" here did it's trick). It's good that mainstream media finally starts paying attention to the privacy, maybe it will make non-technical user to think twice before trusting such bullshit apps/services.
I'm the CTO of Whisper. This is really bad reporting. A few notes:
1. we use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable. for instance, my current IP using our service says "USA", though I'm in Venice, CA. This is hardly a privacy violation, and it's really important for a bunch of reasons:
a) The whisper needs to actually appear in the app, and it won't appear without some general location. The % of all Whispers which are tagged as somewhere in the middle of Kansas because we don't really know where they are (but we know they are in the US) is very high. This is not a scandal.
b) We want to know where a user is in a general sense for things like tracking timezone so when we send pushes we know not to send pushes at 3 in the morning. you'd be surprised how often device timezone may not always match with physical location.
c) We use general location to determine things users may be interested in. folks who post in lower manhattan may see different results than people in College Station, TX, over time.
d) We have a lot of anti-spam technology, and what IP you posted from, and what country that IP is in, is important. I can't elaborate on this but it's incredibly logical why we would use that information for things like keeping the app from filling with spammy garbage.
e) We throw away the IP you used to create the whisper after a brief period of time.
2. We've been working with researchers at a local university to ensure the anonymity around location was such that they couldn't determine groups of whispers from the same user. They contributed to our randomization algorithms and provided suggestions around security.
3. We fuzz location even more than this on write and on reads. We randomize it based on the observer who asks for the location, and we randomize it BEFORE WE SAVE IT TO OUR DATABASE. In other words, we don't actually know where the user was once the whisper is saved, and we can't even tell later.
4. The guardian's reporting that we changed our terms of service in response to the article is beyond silly. I am happy to show a screenshot of the email chain between myself and our lawyers back in July. The entire point of updating the TOS was to make it clearer and easier to read, not to protect ourselves or give ourselves more rights to user data. It takes MONTHS to get things like TOS write for an app like Whisper, and we take it seriously.
5. Edited to add... We just don't have any personally identifiable information. Not name, email, phone number, etc. I can't tell you who a user is without them posting their actual personal information, and in that case, it would be a violation of our terms of service.
Based on your own comments here, it sounds like the reporting is entirely accurate. You're attempting to justify why you're tracking your users, but you're still tracking them.
You've highlighted many of the hard problems in this space: how do you achieve anonymity and unlinkability while doing things like IP hiding, spam filtering, and relevance matching? The issue is that you haven't solved the problems, and are instead suggesting you should get a pass because the problems are hard. It seems simple to me: if you haven't designed something that gives you truly unlinkable anonymity, don't claim to provide it. If you have to track your users to make your app work, don't claim not to track your users.
There are projects like Tor that are approaching these types of problems seriously, but apps like Whisper or Secret end up poisoning the well and confusing users. There's a huge difference between "can't" track and "won't" track. Right now you're claiming "can't," but it sounds like you're squarely in the "won't" category of having your servers "avert their eyes." I think this understandably makes people uneasy, particularly given the data mining direction it sounds like the company is headed.
Your comments are at odds with the evidence presented by the Guardian, namely that you gave them access to your backend geo-tracking tool and they TOOK SCREENSHOTS:
With regards to the MaxMind Legacy databases (which are updated every Tuesday) the following accuracy is tested by MaxMind and presented on their website:
Accurate enough to pin-point a particular place in Washington D.C. it seems. 75%/84% isn't bad.
I honestly can't understand that denial. The Guardian visited your offices and they were allowed access to the tool you deny exists and they took screenshots of posts from your users who posted from the Whitehouse. By the sounds of it someone at your company naively showboated the capabilities of your system to a journalist, demonstrating features that are completely contrary to your mission statement.
You then come here and try and deny the whole thing as if we are idiots.
I normally error on the side of caution, but I truly can't see how you can defend against the overwhelming evidence.
Are you stating that the screenshots are fabricated?
You might have good reasons (and, certainly, you list some) but at the end of the day, you track every user's IP address and geo-locate it. This is Wrong (tm) for an app that claims to be about privacy.
Also, just because your maxmind geoip database is crap doesn't mean that the DOD or whoever you're selling information to doesn't have a better one.
> A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.
This paragraph may imply something more ominous, i.e. that users are being tracked despite geolocation being turned off...I'm assuming that's not the case...but would you say that the users in this scenario are aware that their data is being analyzed at this granular level for news and research purposes by third parties?
The Whisper app on Android asks for "Device ID & call information" allowing you to see the serial number of a user as well as who they call and who calls them. If you don't collect that info, why is your app requesting permissions to it?
> 2. We've been working with researchers at a local university to ensure the anonymity around location was such that they couldn't determine groups of whispers from the same user. They contributed to our randomization algorithms and provided suggestions around security.
Recently, there was a paper by researchers at UCSB on anonymity on Whisper (Page 10, Section 7). I must say that Whisper seems to have mitigated the attack presented in the paper.
> I am happy to show a screenshot of the email chain between myself and our lawyers back in July.
Do your emails specifically detail the changes the Guardian discusses, and an October 13-ish timeline for publishing them? Maybe you were planning on changing the ToS since July, but that doesn't mean anything in relation to the content, nature, or timing of the change you just released.
> we use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable... The % of all Whispers which are tagged as somewhere in the middle of Kansas because we don't really know where they are (but we know they are in the US) is very high.
> We want to know where a user is in a general sense for things like tracking timezone so when we send pushes we know not to send pushes at 3 in the morning. you'd be surprised how often device timezone may not always match with physical location.
So, "Chill everyone, we get 'USA' and just plot it randomly." then "Our location algorithm is accurate enough that we override the user's timezone selection, despite 'USA' spanning 6-9 timezones and multiple Daylight Savings permutations."
Question: in 1 e) above you mention you throw away the original IP info and then in 2 mention work w/ academics around not being able to group whispers from same users.
What is the relation between these statements and the ones in the article linked below about "delving into a user's history" in order to verify veracity of claims ? That would seem to suggest you are in fact aggregating user history information (e.g. sets of whispers) for at least a subset of users.. http://www.forbes.com/sites/parmyolson/2014/01/24/3-reasons-....
You don't deny any of the statements attributed to whisper executives. They were what gave most people cause for concern, not geoip tracking people that don't want to be tracked.
Why not let the user decide what location they want to be seen from? Notifications and so on can be based off that preference rather than any form of geo ip tracking.
Anonymous - no way. A small amount of location tracking + the additional data any agency and many others can easily access will easily identify an individual. I read the UCSB paper referenced by the Whisper CTO - it just said there was a hard problem Whisper was trying to do something about. The paper also said that each user had a permanent GUID. So if I, with my GUID, get on a plane from SFO to (say) Santa Fe on one particular day - the GUID use moving will make it clear I have taken a plane - then the agency (or perhaps my credit card issuer?) will get the candidates for my GUID down to a few hundred at most just from that move and the passenger list (or ticket purchase records). Coupled with my GUID's home city and work city and they probably have me nailed - just like that. Trivial.
I've always suspected that the standard rationalizations about modern user tracking (not technically PII or assuming your data won't be analyzed outside the aggregate) were feel good nothings. At least I have something concrete to point to now when I say it's all bullshit.
I'm not upset or surprised by this. However, it's not the tracking Whisper and similar apps do that upsets me; it's the trashy content and vituperative gossip produced by their users.
The central business model of our tech times is converting data into money. The eternal pressure will be to gather more and more data over time since that will result in more money.
[+] [-] r0h1n|11 years ago|reply
>The Guardian visited the Whisper offices to consider the possibility of undertaking other journalistic projects with the company and sent two reporters last month to look in detail at how the app operates. At no stage during the visit were the journalists told they could not report on the information shared with them.
What kind of a company invites journalists from a newspaper known for its investigative/muckraking skills, and then hands over their secret sauce along with such gems:
>Separately, Whisper has been following a user claiming to be a sex-obsessed lobbyist in Washington DC. The company’s tracking tools allow staff to monitor which areas of the capital the lobbyist visits. “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him,” the same Whisper executive said.
>The Guardian is no longer pursuing a relationship with Whisper.
Well, no shit Sherlock!
[+] [-] mpyne|11 years ago|reply
I can only guess, but I'd be willing to bet it's because of a mistaken idea that "we're on the same side", therefore any reporting by Guarding would almost certainly end up positive.
> and then hands over their secret sauce along with such gems:
... but yeah, I've got nothing, other than what were they thinking? I mean, I like the idea of keeping tabs on bad people, but then I'm not the one running a website that claims I won't track people.
[+] [-] opendais|11 years ago|reply
[+] [-] ozy23378|11 years ago|reply
[+] [-] doe88|11 years ago|reply
(Completely unrelated)
[+] [-] secfirstmd|11 years ago|reply
I love the work of Open Whisper Systems, Redphone/TextSecure/Signal is brilliant. I hope the completely get the number of users they deserve when they merge under the one brand.
[+] [-] Strilanc|11 years ago|reply
1: https://whispersystems.org/blog/a-whisper/
[+] [-] HCIdivision17|11 years ago|reply
[+] [-] scw|11 years ago|reply
So they look to partner, don't like what they see and turn it into a story? Whisper has two problems: violating its users' trust, and letting an external group in without an agreement in place. The Guardian also looks bad flipping this into a lede in my mind.
[+] [-] pessimizer|11 years ago|reply
The Grauniad would look bad for claiming to be journalists and not reporting on this.
edit: really? Journalists, not under any 'off-the-record' or non-disclosure agreements, seek to partner with an app that allows anonymous communication, and finds that it's tracking it's users, storing all information, ignoring opt outs, and funneling information to governments.
They shouldn't report this because what? They should report this even if they are not journalists, but have a moral center.
[+] [-] agd|11 years ago|reply
[+] [-] yva|11 years ago|reply
Re-identification is a very different risk than the one considered by the UC Santa Barbara researchers in Wang, Gang, et al. "Whispers in the Dark: Analysis of an Anonymous Social Network." (2014).
[+] [-] lsiebert|11 years ago|reply
[+] [-] barnaby|11 years ago|reply
While it's not a guarantee of privacy, open source does significantly increase the likelihood that invasions of privacy and security vulnerabilities can be discovered by enthusiasts and journalists. Right? Wouldn't that be preferable when selecting a privacy app?
[+] [-] kbart|11 years ago|reply
[+] [-] rubyrescue|11 years ago|reply
1. we use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable. for instance, my current IP using our service says "USA", though I'm in Venice, CA. This is hardly a privacy violation, and it's really important for a bunch of reasons:
a) The whisper needs to actually appear in the app, and it won't appear without some general location. The % of all Whispers which are tagged as somewhere in the middle of Kansas because we don't really know where they are (but we know they are in the US) is very high. This is not a scandal.
b) We want to know where a user is in a general sense for things like tracking timezone so when we send pushes we know not to send pushes at 3 in the morning. you'd be surprised how often device timezone may not always match with physical location.
c) We use general location to determine things users may be interested in. folks who post in lower manhattan may see different results than people in College Station, TX, over time.
d) We have a lot of anti-spam technology, and what IP you posted from, and what country that IP is in, is important. I can't elaborate on this but it's incredibly logical why we would use that information for things like keeping the app from filling with spammy garbage.
e) We throw away the IP you used to create the whisper after a brief period of time.
2. We've been working with researchers at a local university to ensure the anonymity around location was such that they couldn't determine groups of whispers from the same user. They contributed to our randomization algorithms and provided suggestions around security.
3. We fuzz location even more than this on write and on reads. We randomize it based on the observer who asks for the location, and we randomize it BEFORE WE SAVE IT TO OUR DATABASE. In other words, we don't actually know where the user was once the whisper is saved, and we can't even tell later.
4. The guardian's reporting that we changed our terms of service in response to the article is beyond silly. I am happy to show a screenshot of the email chain between myself and our lawyers back in July. The entire point of updating the TOS was to make it clearer and easier to read, not to protect ourselves or give ourselves more rights to user data. It takes MONTHS to get things like TOS write for an app like Whisper, and we take it seriously.
5. Edited to add... We just don't have any personally identifiable information. Not name, email, phone number, etc. I can't tell you who a user is without them posting their actual personal information, and in that case, it would be a violation of our terms of service.
[+] [-] moxie|11 years ago|reply
You've highlighted many of the hard problems in this space: how do you achieve anonymity and unlinkability while doing things like IP hiding, spam filtering, and relevance matching? The issue is that you haven't solved the problems, and are instead suggesting you should get a pass because the problems are hard. It seems simple to me: if you haven't designed something that gives you truly unlinkable anonymity, don't claim to provide it. If you have to track your users to make your app work, don't claim not to track your users.
There are projects like Tor that are approaching these types of problems seriously, but apps like Whisper or Secret end up poisoning the well and confusing users. There's a huge difference between "can't" track and "won't" track. Right now you're claiming "can't," but it sounds like you're squarely in the "won't" category of having your servers "avert their eyes." I think this understandably makes people uneasy, particularly given the data mining direction it sounds like the company is headed.
[+] [-] junto|11 years ago|reply
http://www.theguardian.com/world/2014/oct/16/-sp-whispers-se...
With regards to the MaxMind Legacy databases (which are updated every Tuesday) the following accuracy is tested by MaxMind and presented on their website:
source: https://www.maxmind.com/en/geoip2-city-accuracy?country=Unit...Accurate enough to pin-point a particular place in Washington D.C. it seems. 75%/84% isn't bad.
I honestly can't understand that denial. The Guardian visited your offices and they were allowed access to the tool you deny exists and they took screenshots of posts from your users who posted from the Whitehouse. By the sounds of it someone at your company naively showboated the capabilities of your system to a journalist, demonstrating features that are completely contrary to your mission statement.
You then come here and try and deny the whole thing as if we are idiots.
I normally error on the side of caution, but I truly can't see how you can defend against the overwhelming evidence.
Are you stating that the screenshots are fabricated?
[+] [-] hdevalence|11 years ago|reply
> “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him,” the same Whisper executive said.
Is that a quote that the Guardian invented from whole cloth, or is that how you see your users?
[+] [-] fragmede|11 years ago|reply
Also, just because your maxmind geoip database is crap doesn't mean that the DOD or whoever you're selling information to doesn't have a better one.
[+] [-] danso|11 years ago|reply
> A team headed by Whisper’s editor-in-chief, Neetzan Zimmerman, is closely monitoring users it believes are potentially newsworthy, delving into the history of their activity on the app and tracking their movements through the mapping tool. Among the many users currently being targeted are military personnel and individuals claiming to work at Yahoo, Disney and on Capitol Hill.
This paragraph may imply something more ominous, i.e. that users are being tracked despite geolocation being turned off...I'm assuming that's not the case...but would you say that the users in this scenario are aware that their data is being analyzed at this granular level for news and research purposes by third parties?
[+] [-] MichaelGG|11 years ago|reply
[+] [-] denzil_correa|11 years ago|reply
Recently, there was a paper by researchers at UCSB on anonymity on Whisper (Page 10, Section 7). I must say that Whisper seems to have mitigated the attack presented in the paper.
https://www.cs.ucsb.edu/~ravenben/publications/pdf/whisper-i...
[+] [-] Cyther606|11 years ago|reply
As the CTO of this woefully "under-capitalized" startup, you surely must be living hand to mouth.
Forgive me, but the fact is you are working with the DoD while claiming to offer users anonymity.
So egregious are your company's violations of trust with its userbase that it warranted the Guardian publicly shaming your entire enterprise.
> This is not a scandal
You're right, it's not a scandal. It's a demolition derby.
[+] [-] scintill76|11 years ago|reply
Do your emails specifically detail the changes the Guardian discusses, and an October 13-ish timeline for publishing them? Maybe you were planning on changing the ToS since July, but that doesn't mean anything in relation to the content, nature, or timing of the change you just released.
> we use a legacy maxmind geoip database so we can put the whisper in a general location. that is so inaccurate as to be laughable... The % of all Whispers which are tagged as somewhere in the middle of Kansas because we don't really know where they are (but we know they are in the US) is very high.
> We want to know where a user is in a general sense for things like tracking timezone so when we send pushes we know not to send pushes at 3 in the morning. you'd be surprised how often device timezone may not always match with physical location.
So, "Chill everyone, we get 'USA' and just plot it randomly." then "Our location algorithm is accurate enough that we override the user's timezone selection, despite 'USA' spanning 6-9 timezones and multiple Daylight Savings permutations."
[+] [-] blueMist|11 years ago|reply
[+] [-] look_lookatme|11 years ago|reply
[+] [-] protothomas|11 years ago|reply
[+] [-] SteveD3|11 years ago|reply
[+] [-] celticninja|11 years ago|reply
[+] [-] ozy23378|11 years ago|reply
This has got to be the dumbest instance of the inflationary hyperbolic use of "incredibly" I have ever read. Incredibly incredible!
[+] [-] vithlani|11 years ago|reply
[+] [-] pbreit|11 years ago|reply
I am happy to see!
[+] [-] someoneelsetoo|11 years ago|reply
[+] [-] forgottenpass|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] shiven|11 years ago|reply
And, oh, screw this app.
I wouldn't recommend it to anyone. Or any other claimed secure/anonymous app, that does not have the "Moxie Marlinspike seal of approval"(TM)!
[+] [-] krigi|11 years ago|reply
[+] [-] socrates2015|11 years ago|reply
[+] [-] blueskin_|11 years ago|reply