Whisper… just another scandalous hiss



Whisper’s privacy scandal broke late last week when The Guardian claimed that user data (stretching back to the app’s launch) was allegedly collated and indefinitely stored in a searchable database; that the company monitored some users (even when they opted our of geolocation services); and that they shared some data with the Department of Defense (DOD). There were also allegations that Whisper held the tools to identify newsworthy users by peering into their history and tracking their movements through an in-house mapping tool.  Tracking the location of a user can reveal more about an anonymous user than meets the eye. Though the Whisper app claims to be “the safest place on the Internet,” like so many social apps before them (Snapchat, Grindr, WhatsApp), they’ve managed to fall into the abyss of yet another scandalous hiss.

The promise of anonymity

Like the naughty catholic girl that whispers her sins through a confessional screen — the Whisper app entices you to share your secrets and unmentionables with the world, always under the guise of anonymity. It’s a platform where you can receive accolades for revealing your deepest and darkest voyeuristic secrets. It’s also a place where company employees mine user data (around the clock), while surreptitiously sifting through 30 new whispers per second in hopes of finding sensational or shocking newsworthy topics.

Whisper

 

A recent paper by USCB researchers revealed that the Whisper app contained a vulnerability that was able to pinpoint a users location. Though the Whisper engineering team addressed the issue, the USCB research team was unaware of the specific steps the engineers took to correct the location vulnerability.

The fact that Whisper does not authenticate location in its queries makes this easier, an attacker can issue numerous distance queries from different locations all while sitting the comfort of her living room.

With a bit more effort, an attacker can even track the victim’s movement over time, by triangulating his location every time he posts a whisper. In practice, this means the attacker can go and stalk the victim.

Jonathan Zdziarski, an iOS forensics expert performed a preliminary iOS application analysis at his blog indicating that Whisper app users should be concerned about their anonymity. Whisper iOS generates a unique identifier that can be used to track users throughout the life of the application. He also noted that the core platform appeared to be designed by Fiksu, a user acquisition company that is focused on analytics, social tracking, advertising, incent, and interest mining.

The Whisper app does not appear to be a social networking application with analytics; it appears to be an analytics and user acquisition application that also happens to have a social networking component.

Fluid privacy policies

According to Whisper’s privacy policy:

WhisperText, Inc (“WhisperText,” “we” or “us”) is committed to being a safe place for our users to anonymously share their innermost thoughts, secrets, and feelings. That’s why we place so much focus on protecting your privacy and personal information.

…when you allow us to collect latitude and longitude location information from your device by enabling locations services, your general location (e.g., town) and proximity to other users when you post, will also be publicly viewable. Therefore, even if you do not include personal information in your whispers, your use of the Services may still allow others, over time, to make a determination as to your identity based on the content of your whispers as well as your general location.

Please be advised that we process and store all information in the United States or other countries where our service providers may be based. This may be important to you, as the laws of the United States or such other countries may not be as protective of your personal information as the laws of your jurisdiction.

Though the above is nicely worded and somewhat conducive to heralding user trust —  Why did they violate user trust? Who are the gatekeepers that hold the user data keys? What do we really know about them? Who are the other countries that hold personal information? Why did TenCent (China’s most powerful Internet company) sink secretive millions into Whisper?  So many questions, so few answers.

Whisper App permissions

Over at Schneier on Security, a comment from Chris F. caught my attention and really made me think about app privacy implications :

What doesn’t make sense is the following permissions:

Device & app history
retrieve running apps

Identity
find accounts on the device

Wi-Fi connection information
view Wi-Fi connections

Other
view network connections
close other apps
use accounts on the device

Why it needs to see what networks you’re connected to (since it already knows where you are) and why it needs access to other applications and to use accounts I can’t think of a legitimate reason for. Unless the using of accounts is to get access to contact list (which I didn’t see as a requested permission).

 Vetting apps

Mobile app vetting has been at the top of my list of pet peeves in Internet security and privacy for the past few years now. For the most part — I am angry that too many apps find their way onto the Internet from companies and developers that do not provide solid company and developer information, including full names of the developers and the geographical location of their company.

I am a true believer and practitioner of vetting any app that I use. I always need to know who the company is, who the developers are, their reputation, and if the app has any potential of screwing me over (like stealing my contacts without my knowledge). I do not rely upon app reviews as the base criteria for using an app either, because gaming the review system is not unheard of. There are plenty of marketing services and shifty websites that sell fake five-star reviews to developers, reading the reviews can be helpful, but do not base your final decision strictly on five-star ratings. I feel that before I use any app that I should be able to:

  • Verify that a company is legitimate and reputable
    • Has a physical location that I can find on Google maps
    • Has employees that I can locate on LinkedIn
    • Has a valid website that is not masked behind a privacy shield
    • Has a state business license
  • Review a site privacy policy that lists:
    • Who is collecting the data
    • How the data will be used
    • Who is receiving the data
    • Who the data is shared with
  • Review an app privacy policy
    • What purpose(s) the app is collecting data for
    • The kinds of personal data collected
    • Who the data is shared with
    • What permissions the app uses
    • Include the company site name, address, and contact information

It is also wise to have knowledge of the company/App developer reputation and to read app reviews that are from trusted and reliable sources. There are exceptions to the list above; such as a developer who works from home. I’ve known developers who have great coding reputations and app reviews, who do not work for a company and are self-employed.

Just another scandalous hiss

I’m hungry now. I’ve been standing in this long line with a leaky-gut social app for too many hours. Got a Whisper for me?

  • I work at Burger King and I was so thirsty that I took a sip of a customers drink before handing it out the window.
  • I work at KFC and my boss has told me to cook food off the floor.
  • My secret I spit on all the white peoples food at the white castle I work at.
  • I never wash my hands after using the restroom…I’m a server.

Do you Whisper?

 

Leave a reply