Whisper Tracks Users

The Guardian has reported that the app Whisper tracks users, and then published a second article explaining what it knows after Whisper denied the story. Here's Whisper's denial; be sure to also read the first comment from Moxie Marlinspike.

Slashdot thread. Hacker News thread.

EDITED TO ADD (10/22): Another Whisper explanation, and another Guardian article. An analysis.

Posted on October 21, 2014 at 12:07 PM • 24 Comments

Comments

DanielOctober 21, 2014 1:05 PM

In my firm view sustainable "unlinkable anonymity" is impossible on the internet, as it will always be an asymmetric cat and mouse game. So we need to look at the next best option which is to focus on data retention. This essentially turns the game from one of tag into a game of hide and seek, restricted by timeliness. Curiously, there is a lot of evidence that human memory works on just this principle--that we forgot information precisely to make room for new information. So the better question is how long are we going to remember things for? Forget about anonymity--it's a loser--and focus on forgetting instead.

Frank WilhoitOctober 21, 2014 1:49 PM

@Daniel,

Anonymity is the ethical imperative and the subjective good. It is, in short, The Product. If a product is being advertised by an actor who turns out to be unprepared to deliver it, it is not germane to argue that the product doesn't actually exist -- especially when we know that it does exist.

Talk about an asymmetric cat/mouse game: how long is too long to retain data? It sounds like you're adducing a practical benefit based upon a probability that data will evaporate before it can be analyzed to a degree that would support harmful action. That lapse of time is already negligible. It can be done against data-in-flight with no retention (persistence) at all.

stineOctober 21, 2014 1:52 PM

If you want to read a funny account of this, read The Register's article from 10/20/2014, titled "Whisper tracks its users. So we tracked down its LA office. This is what happened next"

VincentOctober 21, 2014 2:32 PM

A fourth Guardian article reports that Michael Heyward, CEO of Whisper, has answered the privacy allegations made against Whisper. Heyward's response is here.

But just how well does Heyward respond to The Guardian's allegations? I looked at 6 of the allegations made by The Guardian in its October 16 article. I then looked at Heyward's response for denials and admissions of those specific allegations. My conclusions are in this blog post.

JustinOctober 21, 2014 3:31 PM

Never heard of "Whisper" before the brouhaha about its tracking users. It sounds like another "social" networking app but even more vapid than Facebook or Twitter. It is somewhat ominous in that

A.) Users are encouraged to post revealing things about themselves that they wouldn't ordinarily want to be identified with.

B.) The company actually does track users (like any other social networking site).

C.) It has close ties to and shares information with military command, law enforcement, and intelligence communities.

The company is asking for a lot of trust from its users for little better purpose than idle entertainment, and then is not willing or able to uphold that trust. I think this ties in with James Comey's war on encryption. It hearkens back to the days of J. Edgar Hoover and COINTELPRO.

Silent UndergroundOctober 21, 2014 4:45 PM

Whisper is also sharing information with the US Department of Defense gleaned from smartphones it knows are used from military bases, and developing a version of its app to conform with Chinese censorship laws.

&&

Neetzan Zimmerman @neetzan Follow Second response: The Guardian made a mistake posting that story and they will regret it.


Mmmm, yeah, they are baddies.


While I can appreciate the boy scoutishness of wanting to help DoD CounterIntelligence, need they spy on everything their end users say and do... and is it not just a little troublesome that the US keeps outpacing China, Vietnam, Saudi Arabia, and other totalitarian countries *for* totalitarian practices when the US **supposedly** stands for Liberty, freedom?

George Bush, "They hate our freedom".

I bet Bush really hated those protests. :-)


BoppingAroundOctober 21, 2014 5:08 PM

Silent Underground,

> when the US **supposedly** stands for Liberty, freedom?

IMO that is a smarter approach to surveillance. People are more wary and less likely to spill the beans if they know they are in a hostile environment.

Remember the Target case?

“Then we started mixing in all these ads for things we knew pregnant women would never buy, so the baby ads looked random. We’d put an ad for a lawn mower next to diapers. We’d put a coupon for wineglasses next to infant clothes. That way, it looked like all the products were chosen by chance.

“And we found out that as long as a pregnant woman thinks she hasn’t been spied on, she’ll use the coupons. She just assumes that everyone else on her block got the same mailer for diapers and cribs. As long as we don’t spook her, it works.


http://www.forbes.com/sites/kashmirhill/2012/02/16/how-target-figured-out-a-teen-girl-was-pregnant-before-her-father-did/

Silent UndergroundOctober 21, 2014 5:50 PM

@BoppingAround

Yes, exactly!

Mmm, great line from Flapjack episode "eye sea you", "in order to spy on someone, they can't know they are being spied on, that way they will actually do stuff".

(This after spying on Bubbles for a week and she was doing nothing.)

It just lacks professionalism gosh darn it.

DanielOctober 21, 2014 9:59 PM

@Frank Wilhoit

The claim that anonymity exists is a half-truth. It exists for some people at some times and even in those limited cases the practical anonymity that is achieved is due to a cost-benefit analysis by the attacker. Tor itself is only anonymous when used properly (which it often isn't) and not being actively attacked (which it often is) and is further subject to all sorts of attacks that have nothing to do with the Tor itself but with the way that Tor interfaces with other technologies...see Freedom Hosting, see Silk Road as examples.

I concede your point right up front that forgetting is not a perfect solution and has its own share of potential abuses. I argue, however, that we need to stop think that anonymity is the only way to protect privacy. Most people's privacy at most times is better protected with a system that forgets than a system that anonymizes.

Bob S.October 22, 2014 5:46 AM

Whisper sounds like a badly done government special op. I would guess the Guardian would be a prime target due to it's connections to Snowden/Greenwald.

I read somewhere Whisper also requires access to smartphone features such as the camera and the user's contact list. That should have been a hint.

I am beginning to wonder if there aren't a lot of "apps" out there that have government sponsorship and purposes. I noticed the other day one of the kid's apps requires geo-location data to play the stupid game.

Why?

Many other major programs and services also demand/require granular personal data for no logical reason, except mass surveillance.

fajensenOctober 22, 2014 6:16 AM

@Bob S. I am beginning to wonder if there aren't a lot of "apps" out there that have government sponsorship and purposes.

Anti-virus packages. Like Avast. It is a sleek piece of software with a good user interface, easy to install, looks after itself - generally. It also proxies every connection out of the computer, even geek things like "nntp". Hmm!?

Clearly, a fairly large team of reasonably competent developers were involved.

This costs money. But Avast is free for personal use and people do not voluntarily pay for anything (my mother does, but she is special).

So, Why Not? Anti-virus scanners runs as "root", read through all files, sniff all network traffic - with a filter configuration that is controlled remotely.

Anti-virus are the perfect tool for distributed searches for specific data and one can probably do some network/graph analysis based on file hashes, to determine how information propagates between systems and to extract files. Most AV-packages report "statistics" and receives "filters" to "The Mothership"; these messages could be a back-channel for command & control.

We are told to install these tools all the time. Why? - One wonder!

Chris FOctober 22, 2014 6:55 AM

@BobS "I read somewhere Whisper also requires access to smartphone features such as the camera and the user's contact list. That should have been a hint."

Reading the Register article it looks like you can take pictures to be posted with whatever you're posting so the camera makes sense. And I'm sure there's a feature to invite friends to use Whisper so the contact list makes sense too. That's not to say that's all they're using it for, just that there are reasons that make sense.

What doesn't make sense is the following permissions:

Device & app history
retrieve running apps

Identity
find accounts on the device

Wi-Fi connection information
view Wi-Fi connections

Other
view network connections
close other apps
use accounts on the device


Why it needs to see what networks you're connected to (since it already knows where you are) and why it needs access to other applications and to use accounts I can't think of a legitimate reason for. Unless the using of accounts is to get access to contact list (which I didn't see as a requested permission).

not anonymousOctober 22, 2014 8:13 AM

@Daniel, isn't it ironic one of the slogans of group anonymous is "never forget." right to be forgotten is a new concept, but unfortunately it is not a basic right recognized by universal declaration of human rights as outlined by united nations. a more straight forward concept is the right to remain anonymous.

GweihirOctober 22, 2014 8:56 AM

Well, my take is that they are actually a false-flag operation and that tracking users is their actual mission. Grand claims would be part of that.

Silent UndergroundOctober 22, 2014 11:35 AM

Could be false flag from the get go, or could just be wannabes that were overly accommodating. Or were offered money. The USG is a big spender and does use their money to meet espionage goals.

The guy's "you are going to be sorry about this" statement I find concerning. But, from an individual level. If you are connected, you don't stress if someone does something against you. Because you got all these other people -- and are not even operating on your own behalf in the first place.

So, I figure he is probably some guy caught up in the whole "oh drool you spy and military guys, I love you".

His reaction that was is just too personal, both in the hurt feelings and in the threat.

Telcos, the big tech companies... otoh stink to me of coverups. Big denials, savvy moves towards a new pretense of privacy. Like a spouse caught cheating that is not about to end anything....

mencoOctober 22, 2014 1:16 PM

What kind of retard posts secret messages from their smartphone to a for-profit USA-based company running proprietary software and believes their privacy is safe?

SchneieronSecurityFanOctober 23, 2014 2:36 AM

The in-question company's domain ends in .sh. That is the country domain for Saint Helena, Ascension and Tristan da Cunha. I see that the country domain follows the word "whisper". So, if read aloud, the domain sounds like "whisper" "dot" and then the "s-h" sound in English. Could there be another reason, though?

Bob S.October 23, 2014 6:49 AM

@SchneironSecurityFan

Re: Whipser.SH and Ascension Island
Ascension Island is part of the St. Helena group of islands and is a big NSA, GCHQ and military base. Indeed the few "civilians" there are being run off so the spies can have it all to themselves.

I think that pretty much settles it, Whisper is likely a NSA front and part of the 5-eyes organization. What do you think?

"Britain wants to depopulate Ascension of all non-cleared foreign nations in preparation for an expansion of the NSA-CSO facility to handle data from a new fleet of signals intelligence and other U.S. spy satellites."
Source: http://blendz72.wordpress.com/2013/10/05/the-nsa-empires-expanding-colonies/

Now a question becomes, how many false flag apps are there and how do they prey on honest American men, women and defenseless little children legally?

Unless, of course, they have exempted themselves from the Rule of Law.

Bob S.October 23, 2014 2:01 PM

@ Adjuvant:

Interesting pseudonym.

Yes, it is quite plausible that the .sh TLD was selected only to get the specific "Whisper" domain name or some other reason.

It's plausible that word was only available from that one TLD. Indeed I found Whisper.com is not available. However, Godaddy shows dozens of other available extensions for the url "Whisper", for example, Whisper.zone ($39.99), also Whispers.us, $4.99 and Whisper.city, $17.99.

I've read that intelligence agencies actually have meetings to create plausible explanations for those times when they are outted. Indeed your post is very plausible.

If I was really interested, I would do some tracert work on Whisper.sh to see if traffic actually is routed through Ascension Island. Maybe there is a plausible explanation for that, too. (I did a quick trace, at least a dozen "no response" hops.)

Yes, it's all very plausible. Plausible defensibility is a very good defense.

Right you are. Plausible. Thanks for clarifying that.

AdjuvantOctober 23, 2014 4:33 PM

@Bob S. Just opining that this particular data point is probably insignificant. By all means, traceroute as much as you like: perhaps somebody had a cocky sense of humor. Personally, though, I doubt you'll get anywhere, and I would want to pursue other investigative avenues instead. I won't respond to your further insinations except to remind you that if you push a red herring hard enough, you wind up with bad sushi.

RGP SecurityOctober 27, 2014 8:27 AM

People with deep pockets and a badge will always have an advantage.

It only takes one person to betray a whole organization. Look at Snowden.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.