Guardian Alleges Whisper Tracks Users Without Consent; Whisper Fights Back

In a bombshell report, The Guardian revealed that Whisper, a popular app that promises total anonymity to users revealing secrets, tracks the GPS coordinates of all its users — even the ones who attempt to opt out of geolocation services. Not only that, they also track a small handful of individuals that they deem to be “newsworthy,” and follow them on a map based on where they are at the time.

Currently, some 2.6 million messages revealing personal and/or professional secrets are posted on Whisper per day, and up until four days ago, the site touted that it does not track anyone’s location without their consent, and deletes content after a short period of time. The Guardian asserts that neither of these things are true:

Whisper has developed an in-house mapping tool that allows its staff to filter and search GPS data, pinpointing messages to within 500 meters of where they were sent.

The technology, for example, enables the company to monitor all the geolocated messages sent from the Pentagon and National Security Agency. It also allows Whisper to track an individual user’s movements over time.

When users have turned off their geolocation services, the company also, on a targeted, case-by-case basis, extracts their rough location by from IP data emitted by their smartphone.

In addition, the Guardian alleges that they track a “handful” of individuals who work in secretive institutions, from corporations like Disney to governmental buildings on Capitol Hill, to see whether they post newsworthy content. Again, without their knowledge:

Separately, Whisper has been following a user claiming to be a sex-obsessed lobbyist in Washington DC. The company’s tracking tools allow staff to monitor which areas of the capital the lobbyist visits. “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watching him,” the same Whisper executive said.

The Guardian wrote this story after Whisper voluntarily revealed the extent of their GPS tracking to them. (Which is how it received some truly sociopathic quotes from Whisper executives.)

According to the paper, at no point did Whisper forbid them from writing anything about their practices, which is not quite smart, considering that the Guardian broke the story of the NSA’s mass surveillance program and has won awards for their advocacy against institutions collecting online data without the knowledge of its users. (Though the Guardian had worked with the company in the past to publish stories based on whispers, is no longer pursing a partnership with Whisper.)

Whisper quickly hit back, with editor Neetzan Zimmerman going on a Twitter spree stating that the Guardian‘s report was patently false:

1/This cannot be overemphasized: @Whisper has never nor will ever collect nor store ANY personally identifiable information from its users.

— Neetzan Zimmerman (@neetzan) October 16, 2014

2/Users must OPT IN to location, not OPT OUT. If a user does not OPT IN, their location information is NEVER collected nor stored, period.

— Neetzan Zimmerman (@neetzan) October 16, 2014

3/Users who OPT IN — meaning elect to make their location public — have their location HEAVILY FUZZED by @Whisper to 500 meters away.

— Neetzan Zimmerman (@neetzan) October 16, 2014

4/No exact location data is EVER stored or is accessible by @Whisper or its employees. The Guardian’s suggestion to the contrary is FALSE.

— Neetzan Zimmerman (@neetzan) October 16, 2014

5/Again, users who have OPTED IN to making their location PUBLIC have their location proactively fuzzed to 500 meters by @Whisper.

— Neetzan Zimmerman (@neetzan) October 16, 2014

6/As there is no personally identifiable information (name, phone, email, address) collected or stored, fuzzed location data is meaningless.

— Neetzan Zimmerman (@neetzan) October 16, 2014

7/Users who do not opt in to location send NO GPS information. It is a technical impossibility for us to determine their location.

— Neetzan Zimmerman (@neetzan) October 16, 2014

8/To sum: Users must OPT IN to location; location is ALWAYS fuzzed to 500 meters; Users who don’t opt in provide NO GPS data.

— Neetzan Zimmerman (@neetzan) October 16, 2014

9/For transparency’s sake, here is our original, unaltered response to The Guardian. It answers many FAQs: https://t.co/tj1zTUF7wU

— Neetzan Zimmerman (@neetzan) October 16, 2014

10/The rest of the tweetstorm will be dedicated to necessary background on how The Guardian piece came to be. Keep sending me any Qs.

— Neetzan Zimmerman (@neetzan) October 16, 2014

Prior to that, Zimmerman tweeted this ominous warning:

Second response: The Guardian made a mistake posting that story and they will regret it.

— Neetzan Zimmerman (@neetzan) October 16, 2014

There will obviously be more to come in this story.

[The Guardian]
[Image via Whisper]

—

>> Follow Tina Nguyen (@Tina_Nguyen) on Twitter