Careless Whisper? Anonymous messaging app accused of stalking users, blabbing to Feds

Startup denies outing peeps posting witty gags


The makers of Whisper have denied claims that the anonymous messaging app is secretly tracking the whereabouts of its privacy-conscious users.

The startup hit back following reports that detailed location logs are shared with the US government.

Whisper is a two-year-old phone app that allows people to publish text overlaid on images to the whisper.sh website and other Whisper users, and comment on these posts, all using anonymous handles. It looks something like this and this.

The app allows peeps to tag their missives with a location, but there is an opt-out button to avoid revealing one's whereabouts. Now an investigation by the Guardian suggests this button is ineffective: your movements are always tracked, it's reported.

According to the Graun's dossier, if this geolocation tagging is turned off by someone who posts something interesting, staff are instructed by bosses to ignore the opt-out and find the user's "latitude and longitude" using IP addresses and other data. Specific people are closely monitored for juicy titbits, the report claims, even if they think they are anonymous.

An unnamed Whisper executive apparently told reporters about a sex-crazed lobbyist in Washington DC who posted stuff using the software; the exec explained how the application was able to track which offices the lobbyist visited in the United States' capital, we're told.

"He's a guy that we'll track for the rest of his life and he'll have no idea we'll be watching him," the Whisper executive allegedly said.

The reporters, Paul Lewis and Dominic Rushe, were also told that the firm shares its data with British and American g-men when requested to do so, and shares the messages posted by some military personnel with the US Department of Defense. The startup is trying out the application in China, and will do the same kind of info disclosure to government officials in the Middle Kingdom if mandarins ask them, it's claimed.

The report also alleges that Whisper is keeping a log of all the posts made since its inception, despite claiming to only hold onto them for only a brief period of time. The Guardian claims Whisper rewrote a section of its privacy policy after it informed the firm it was going to publish an exposé.

Whisper roars back

The response from the California app maker has been swift and forthright, with Whisper's editor-in-chief taking to Twitter to protest the piece.

Yes, Whisper has an ed-in-chief because the site works closely with news outlets such as BuzzFeed and the Guardian, sharing juicy anonymous posts with newshounds to turn them into stories – hence the need to know where and when people are, which is the crux of Whisper's problem this week. It wanted to be a news source and a private messaging service.

The Guardian said it sent some of its reporters to visit the Whisper team, apparently uncovered the location tracking, bailed out of the partnership, and ran Thursday's story. In response, Neetzan Zimmerman, Whisper's editor-in-chief, bellowed:

In a detailed rebuttal, the firm insists that if someone opts out of the location tagging, the upstart won't store that data – and for those who do sign up to geotagging, they'll be tracked to within 500 metres. As for tracking IP addresses, the Whisper team says that such data only provides a "very coarse location to be determined to the city, state, or country level."

The firm reiterates that it only stores users' messages for "a brief period of time," and says the data it does store isn't personally identifiable information – and that is stored in private, security-audited servers.

If users make a newsworthy claim, past posts are used to establish their veracity – which is telling about the "brief period of time" claim. We've seen posts on the site that are two weeks old. Anyway, if Whisper editors contact the user, they always identify themselves immediately, we're assured.

Whisper does comply with lawful requests for data from the Feds, it says, as all US companies are required to do, and said it shared data with the Department of Defense as part of a program to reduce military suicides.

As for China, the firm says it hasn't launched the app there yet, but says it always complies with local laws and regulations in the countries it operates in. In China's case, these same laws inspired Google to shift its servers off the Chinese mainland.

Whisper CTO Chad DePue also took to the message board on Hacker News to defend his app on technical grounds. He described IP tracking as "so inaccurate as to be laughable," and said that it was needed to deal with spammers. Any IP address data is deleted "after a brief period of time," he said.

As for allegations that the firm changed its terms and conditions just before the Guardian article went to press, DePue described this as "beyond silly." The terms and conditions changes had been under discussion for months, he claimed, and the changes were designed to make them easier to understand.

And yet…

But questions still remain over the amount of sensitive information Whisper gathers.

For a start, when users download the application from Google's Play Store, the software asks to for access to the user's identity, locations, Wi-Fi hardware and device ID information.

More worryingly, an analysis of the application's executable by security expert Jonathan Zdziarski shows code that appears to contradict Whisper's statements about that 500-metre location granularity.

"That's the requested minimum accuracy," Zdziarski told The Register.

"There are a number of different options you can request from the [iOS] core location manager. It would seem that if they were really interested in just your city, they'd have requested it within a kilometer, at least. Those are Apple constants they're using; a kilometer option exists."

Whisper sent us the following statement:

Whisper does not collect nor store any personally identifiable information from users and is anonymous. There is nothing in our geolocation data that can be tied to an individual user and a user’s anonymity is never compromised. Whisper does not follow or track users. The Guardian’s assumptions that Whisper is gathering information about users and violating user’s privacy are false.

"For users who opt into geolocation services, the location information that we do store is obscured to within 500 meters of their smartphone device’s actual location," the upstart added. ®

Similar topics

Broader topics


Other stories you might like

  • VMware claims 'bare-metal' performance on virtualized GPUs
    Is... is that why Broadcom wants to buy it?

    The future of high-performance computing will be virtualized, VMware's Uday Kurkure has told The Register.

    Kurkure, the lead engineer for VMware's performance engineering team, has spent the past five years working on ways to virtualize machine-learning workloads running on accelerators. Earlier this month his team reported "near or better than bare-metal performance" for Bidirectional Encoder Representations from Transformers (BERT) and Mask R-CNN — two popular machine-learning workloads — running on virtualized GPUs (vGPU) connected using Nvidia's NVLink interconnect.

    NVLink enables compute and memory resources to be shared across up to four GPUs over a high-bandwidth mesh fabric operating at 6.25GB/s per lane compared to PCIe 4.0's 2.5GB/s. The interconnect enabled Kurkure's team to pool 160GB of GPU memory from the Dell PowerEdge system's four 40GB Nvidia A100 SXM GPUs.

    Continue reading
  • Nvidia promises annual updates across CPU, GPU, and DPU lines
    Arm one year, x86 the next, and always faster than a certain chip shop that still can't ship even one standalone GPU

    Computex Nvidia's push deeper into enterprise computing will see its practice of introducing a new GPU architecture every two years brought to its CPUs and data processing units (DPUs, aka SmartNICs).

    Speaking on the company's pre-recorded keynote released to coincide with the Computex exhibition in Taiwan this week, senior vice president for hardware engineering Brian Kelleher spoke of the company's "reputation for unmatched execution on silicon." That's language that needs to be considered in the context of Intel, an Nvidia rival, again delaying a planned entry to the discrete GPU market.

    "We will extend our execution excellence and give each of our chip architectures a two-year rhythm," Kelleher added.

    Continue reading
  • Amazon puts 'creepy' AI cameras in UK delivery vans
    Big Bezos is watching you

    Amazon is reportedly installing AI-powered cameras in delivery vans to keep tabs on its drivers in the UK.

    The technology was first deployed, with numerous errors that reportedly denied drivers' bonuses after malfunctions, in the US. Last year, the internet giant produced a corporate video detailing how the cameras monitor drivers' driving behavior for safety reasons. The same system is now apparently being rolled out to vehicles in the UK. 

    Multiple camera lenses are placed under the front mirror. One is directed at the person behind the wheel, one is facing the road, and two are located on either side to provide a wider view. The cameras are monitored by software built by Netradyne, a computer-vision startup focused on driver safety. This code uses machine-learning algorithms to figure out what's going on in and around the vehicle.

    Continue reading
  • AWS puts latest homebrew ‘Graviton 3’ Arm CPU in production
    Just one instance type for now, but cheaper than third-gen Xeons or EPYCs

    Amazon Web Services has made its latest homebrew CPU, the Graviton3, available to rent in its Elastic Compute Cloud (EC2) infrastructure-as-a-service offering.

    The cloud colossus launched Graviton3 at its late 2021 re:Invent conference, revealing that the 55-billion-transistor device includes 64 cores, runs at 2.6GHz clock speed, can address DDR5 RAM and 300GB/sec max memory bandwidth, and employs 256-bit Scalable Vector Extensions.

    The chips were offered as a tech preview to select customers. And on Monday, AWS made them available to all comers in a single instance type named C7g.

    Continue reading
  • Beijing reverses ban on tech companies listing offshore
    Announcement comes as Chinese ride-hailing DiDi Chuxing delists from NYSE under pressure

    The Chinese government has announced that it will again allow "platform companies" – Beijing's term for tech giants – to list on overseas stock markets, marking a loosening of restrictions on the sector.

    "Platform companies will be encouraged to list on domestic and overseas markets in accordance with laws and regulations," announced premier Li Keqiang at an executive meeting of China's State Council – a body akin to cabinet in the USA or parliamentary democracies.

    The statement comes a week after vice premier Liu He advocated technology and government cooperation and a digital economy that supports an opening to "the outside world" to around 100 members of the Chinese People's Political Consultative Congress (CPPCC).

    Continue reading

Biting the hand that feeds IT © 1998–2022