Revealed: how Whisper app tracks ‘anonymous’ users

Print Friendly, PDF & Email
  • Some Whis­per users mon­i­tored even after opt­ing out of geolo­ca­tion ser­vices
  • Com­pa­ny shares some infor­ma­tion with US Depart­ment of Defense
  • User data col­lat­ed and indef­i­nite­ly stored in search­able data­base

Whis­per app rewrites terms of ser­vice and pri­va­cy pol­i­cy

How the ‘safest place on the inter­net’ tracks its users

 A Whisper user posted this message from the vicinity of the White House. The red icons signify someone who has posted a Whisper. Potentially identifying information has been redacted by the Guardian. Photograph: Guardian

A Whis­per user post­ed this mes­sage from the vicin­i­ty of the White House. The red icons sig­ni­fy some­one who has post­ed a Whis­per. Poten­tial­ly iden­ti­fy­ing infor­ma­tion has been redact­ed by the Guardian. Pho­to­graph: Guardian

The com­pa­ny behind Whis­per, the social media app that promis­es users anonymi­ty and claims to be the “the safest place on the inter­net”, is track­ing the loca­tion of its users, includ­ing some who have specif­i­cal­ly asked not to be fol­lowed.

The prac­tice of mon­i­tor­ing the where­abouts of Whis­per users – includ­ing those who have express­ly opt­ed out of geolo­ca­tion ser­vices – will alarm users, who are encour­aged to dis­close inti­mate details about their pri­vate and pro­fes­sion­al lives.

Whis­per is also shar­ing infor­ma­tion with the US Depart­ment of Defense gleaned from smart­phones it knows are used from mil­i­tary bases, and devel­op­ing a ver­sion of its app to con­form with Chi­nese cen­sor­ship laws.

The US ver­sion of the app, which enables users to pub­lish short mes­sages super­im­posed over pho­tographs or oth­er images, has attract­ed mil­lions of users, and is prov­ing espe­cial­ly pop­u­lar among mil­i­tary per­son­nel who are using the ser­vice to make con­fes­sions they would be unlike­ly to pub­lish on Face­book or Twit­ter.

Cur­rent­ly, users of Whis­per are pub­lish­ing as many as 2.6m mes­sages a day. Face­book is report­ed­ly devel­op­ing its own Whis­per-style app for anony­mous pub­lish­ing. The trend toward anonymi­ty in social media has some pri­va­cy experts con­cerned about secu­ri­ty.

Approached for com­ment last week, Whis­per said it “does not fol­low or track users”. The com­pa­ny added that the sug­ges­tion it was mon­i­tor­ing peo­ple with­out their con­sent, in an appar­ent breach of its own terms of ser­vice, was “not true” and “false”.

But on Mon­day – four days after learn­ing the Guardian intend­ed to pub­lish this sto­ry – Whis­per rewrote its terms of ser­vice; they now explic­it­ly per­mit the com­pa­ny to estab­lish the broad loca­tion of peo­ple who have dis­abled the app’s geolo­ca­tion fea­ture.

Whis­per has devel­oped an in-house map­ping tool that allows its staff to fil­ter and search GPS data, pin­point­ing mes­sages to with­in 500 meters of where they were sent.

The tech­nol­o­gy, for exam­ple, enables the com­pa­ny to mon­i­tor all the geolo­cat­ed mes­sages sent from the Pen­ta­gon and Nation­al Secu­ri­ty Agency. It also allows Whis­per to track an indi­vid­ual user’s move­ments over time.

When users have turned off their geolo­ca­tion ser­vices, the com­pa­ny also, on a tar­get­ed, case-by-case basis, extracts their rough loca­tion from IP data emit­ted by their smart­phone.

The Guardian wit­nessed this prac­tice on a three-day vis­it to the company’s Los Ange­les head­quar­ters last month, as part of a trip to explore the pos­si­bil­i­ty of an expand­ed jour­nal­is­tic rela­tion­ship with Whis­per.

After review­ing Whisper’s back-end tools and speak­ing exten­sive­ly with the company’s exec­u­tives, the Guardian has also estab­lished that:

  • User data, includ­ing Whis­per post­ings that users believe they have delet­ed, is col­lat­ed in a search­able data­base. The com­pa­ny has no access to users’ names or phone num­bers, but is stor­ing infor­ma­tion about the pre­cise time and approx­i­mate loca­tion of all pre­vi­ous mes­sages post­ed through the app. The data, which stretch­es back to the app’s launch in 2012, is being stored indef­i­nite­ly, a prac­tice seem­ing­ly at odds with Whisper’s stat­ed pol­i­cy of hold­ing the data only for “a brief peri­od of time”.
  • A team head­ed by Whisper’s edi­tor-in-chief, Neet­zan Zim­mer­man, is close­ly mon­i­tor­ing users it believes are poten­tial­ly news­wor­thy, delv­ing into the his­to­ry of their activ­i­ty on the app and track­ing their move­ments through the map­ping tool. Among the many users cur­rent­ly being tar­get­ed are mil­i­tary per­son­nel and indi­vid­u­als claim­ing to work at Yahoo, Dis­ney and on Capi­tol Hill.
  • Whisper’s pol­i­cy toward shar­ing user data with law enforce­ment has prompt­ed it on occa­sions to pro­vide infor­ma­tion to both the FBI and MI5. Both cas­es involved poten­tial­ly immi­nent threats to life, Whis­per said, a prac­tice stan­dard in the tech indus­try. But pri­va­cy experts who reviewed Whisper’s terms of ser­vice for the Guardian said the com­pa­ny appeared to require a low­er legal thresh­old for pro­vid­ing user infor­ma­tion to author­i­ties than oth­er tech com­pa­nies.
  • The com­pa­ny is coop­er­at­ing with the US Depart­ment of Defense, shar­ing infor­ma­tion with researchers inves­ti­gat­ing the fre­quen­cy of men­tions of sui­cide or self-harm from smart­phones that Whis­per knows are being used from US mil­i­tary bases. Whis­per stressed that “spe­cif­ic user data” is not being shared with the DoD, adding that the com­pa­ny was “proud­ly work­ing with many organ­i­sa­tions to low­er sui­cide rates and the US mil­i­tary is among them”.
  • Whis­per is devel­op­ing a Chi­nese ver­sion of its app, which received a soft-launch ear­li­er this month. Com­pa­nies like Google, Face­book and Twit­ter are banned in main­land Chi­na. Whis­per exec­u­tives said they had agreed to the demands Chi­na places on tech com­pa­nies oper­at­ing in its juris­dic­tion, includ­ing a ban on the use of cer­tain words.

Whisper’s tar­get­ed mon­i­tor­ing of some peo­ple who use the app – even some of those who have declared they do not want to be fol­lowed by opt­ing out of geolo­ca­tion – is like­ly to sur­prise its users, who are drawn to the app by the bold promis­es the com­pa­ny makes about their anonymi­ty.

Whis­per isn’t actu­al­ly about con­ceal­ing iden­ti­ty. It’s about a com­plete absence of iden­ti­ty,” the company’s co-founder and CEO, Michael Hey­ward, recent­ly told Entre­pre­neur mag­a­zine. “The con­cept around Whis­per is remov­ing the con­cept of iden­ti­ty alto­geth­er, so you’re not as guard­ed.”
Brad Brooks Michael Hey­ward Whis­per Brad Brooks, left, and Michael Hey­ward of Whis­per in San­ta Mon­i­ca. Pho­to­graph: Ringo Chiu/Zuma Press/Corbis

 Brad Brooks, left, and Michael Heyward of Whisper in Santa Monica. Photograph: Ringo Chiu/Zuma Press/Corbis

Brad Brooks, left, and Michael Hey­ward of Whis­per in San­ta Mon­i­ca. Pho­to­graph: Ringo Chiu/Zuma Press/Corbis

He has called Whis­per the “safest place on inter­net” and por­trays the app as a secure place in which users should feel free to express their inner­most feel­ings and con­fes­sions.

Whis­per, which was recent­ly val­ued at over $200m, has grown rapid­ly since its launch two years ago. It is among the fleet of con­fes­sion­al apps, such as Secret and Yik Yak, which back­ers say enable users to be more can­did than they are on oth­er social media plat­forms.

To stamp out inap­pro­pri­ate behav­iour, Whis­per has an off­shore base in the Philip­pines, where more than 100 employ­ees screen mes­sages 24 hours a day. Whis­per described the process as “extreme­ly secure”.

In an attempt to pro­mote con­tent post­ed on the app, Whis­per has worked hard to build rela­tion­ships with news organ­i­sa­tions. Its longest-stand­ing part­ner­ship is with Buz­zfeed, and Whisper’s exec­u­tives said they are now in dis­cus­sions with news­pa­pers and TV net­works.

On Thurs­day, a Buz­zfeed spokesper­son said the news out­let is now halt­ing its part­ner­ship with Whis­per. “We’re tak­ing a break from our part­ner­ship until Whis­per clar­i­fies to us and its users the pol­i­cy on user loca­tion and pri­va­cy,” a spokesper­son said.

Over the last year, Whis­per has pro­mot­ed rev­e­la­tions post­ed by anony­mous users about the dis­missal of Dov Char­ney, the founder of Amer­i­can Appar­el, and accu­sa­tions about Gwyneth Paltrow’s pri­vate life.

In Sep­tem­ber, Whis­per returned to the head­lines when an appar­ent­ly sui­ci­dal man in Texas used the app to broad­cast mes­sages and pho­tographs from the mid­dle of a stand­off with armed police.

 Whisper’s in-house mapping tool identifies users who have posted in the vicinity of the National Security Agency, Maryland, using their GPS data. Occasionally, the company uses IP address location data to establish the rough location of some users who have opted out the app’s geolocation services. Photograph: Guardian

Whisper’s in-house map­ping tool iden­ti­fies users who have post­ed in the vicin­i­ty of the Nation­al Secu­ri­ty Agency, Mary­land, using their GPS data. Occa­sion­al­ly, the com­pa­ny uses IP address loca­tion data to estab­lish the rough loca­tion of some users who have opt­ed out the app’s geolo­ca­tion ser­vices. Pho­to­graph: Guardian

The Guardian had pre­vi­ous­ly worked with Whis­per to find Iraq war vet­er­ans who want­ed to share their opin­ions of Isis, find an undoc­u­ment­ed immi­grant to write an opin­ion arti­cle and post people’s con­fes­sions about Valentine’s Day. At no point dur­ing those col­lab­o­ra­tions did Whis­per indi­cate it was ascer­tain­ing the loca­tion of indi­vid­ual users who had dis­abled their geolo­ca­tion fea­ture.

The Guardian vis­it­ed the Whis­per offices to con­sid­er the pos­si­bil­i­ty of under­tak­ing oth­er jour­nal­is­tic projects with the com­pa­ny and sent two reporters last month to look in detail at how the app oper­ates. At no stage dur­ing the vis­it were the jour­nal­ists told they could not report on the infor­ma­tion shared with them.

The Guardian is no longer pur­su­ing a rela­tion­ship with Whis­per.

Whis­per intro­duced its option­al geolo­ca­tion fea­ture ear­li­er this year, enabling users to view oth­er people’s mes­sages that have been post­ed by users with­in a set-mile radius, known as the “near­by” func­tion. Cru­cial­ly, the app also con­tains a but­ton that allows users to opt out of its geolo­ca­tion ser­vice, a facil­i­ty its terms state is “pure­ly vol­un­tar­i­ly”.

That sys­tem pro­vid­ed Whis­per with a hoard of eas­i­ly analysed loca­tion data from those who opt­ed into the ser­vice, and the com­pa­ny has become increas­ing­ly open with jour­nal­ists that its in-house tech­nol­o­gy allows it to locate users. The com­pa­ny now uses geolo­ca­tion to make judg­ments about the “verac­i­ty” of users post­ing on the site.

In July, dur­ing the recent Israeli war in Gaza, Whis­per was able to mon­i­tor Israeli Defense Force sol­diers on the front­line. “We had 13 or 14 sol­diers who we were track­ing – every whis­per they did,” one Whis­per exec­u­tive said dur­ing the Guardian’s vis­it.

Sep­a­rate­ly, Whis­per has been fol­low­ing a user claim­ing to be a sex-obsessed lob­by­ist in Wash­ing­ton DC. The company’s track­ing tools allow staff to mon­i­tor which areas of the cap­i­tal the lob­by­ist vis­its. “He’s a guy that we’ll track for the rest of his life and he’ll have no idea we’ll be watch­ing him,” the same Whis­per exec­u­tive said.

Now the com­pa­ny plans to make its data­base and a ver­sion of its map­ping tool avail­able to select jour­nal­ists in the com­ing months.

When Guardian reporters vis­it­ed Whis­per last month, Zim­mer­man and anoth­er exec­u­tive said that when they want­ed to estab­lish the loca­tion of indi­vid­ual users who are among the 20% who have opt­ed out of geolo­ca­tion ser­vices, they sim­ply asked their tech­ni­cal staff to obtain the “lat­i­tude and lon­gi­tude” of the phones they had used.
Neet­zan Zim­mer­man Neet­zan Zim­mer­man, edi­tor-in-chief of Whis­per. Pho­to­graph: Ringo Chiu/Zuma Press/Corbis

Neetzan Zimmerman, editor-in-chief of Whisper. Photograph: Ringo Chiu/Zuma Press/Corbis

Neet­zan Zim­mer­man, edi­tor-in-chief of Whis­per. Pho­to­graph: Ringo Chiu/Zuma Press/Corbis

One of the users that Whis­per sug­gest­ed the Guardian could be inter­est­ed in research­ing, for exam­ple, claimed to be sol­dier who could be immi­nent­ly deployed to Iraq.

The user had appar­ent­ly turned off their geolo­ca­tion facil­i­ty, deny­ing the com­pa­ny per­mis­sion to track them. Yet Whis­per was able to ascer­tain the dates the user had been in Afghanistan and Fort Riley, Kansas.

Whis­per lat­er explained that when it wants to estab­lish the loca­tion of users who have dis­abled their geolo­ca­tion ser­vices, the com­pa­ny uses their IP loca­tion.

On Thurs­day last week, the Guardian con­tact­ed Whis­per, explained it planned to write a sto­ry about the company’s inter­nal prac­tices and asked for com­ment.

Whis­per acknowl­edged that it research­es the loca­tion of spe­cif­ic users it believes are post­ing news­wor­thy infor­ma­tion, but empha­sised it typ­i­cal­ly uses GPS data.

Whis­per stressed the IP loca­tion data it uses for peo­ple who have asked not to be fol­lowed is rough and unre­li­able.

We occa­sion­al­ly look at user IP address­es inter­nal­ly to deter­mine very approx­i­mate loca­tion,” the com­pa­ny said. “User IP address­es may allow very coarse loca­tion to be deter­mined to the city, state or coun­try lev­el.”

It added: “Whis­per does not request or store any per­son­al­ly iden­ti­fi­able infor­ma­tion from users, there­fore there is nev­er a breach of anonymi­ty. From time to time, when a user makes a claim of a news­wor­thy nature, we review the user’s past activ­i­ty to help deter­mine verac­i­ty.”

The com­pa­ny strong­ly reject­ed any asser­tion of wrong­do­ing. “The Guardian’s assump­tions that Whis­per is gath­er­ing infor­ma­tion about users and vio­lat­ing user’s pri­va­cy are false,” it said. “The pri­va­cy of our users is not vio­lat­ed in any of the cir­cum­stances sug­gest­ed in the Guardian sto­ry.”

Four days lat­er, Whis­per rewrote large sec­tions of its terms of ser­vice and intro­duced an entire­ly new pri­va­cy pol­i­cy.

Where­as the pre­vi­ous terms and con­di­tions described all of Whisper’s track­ing of user loca­tion as “vol­un­tary”, the new terms now warn users to “bear in mind that, even if you have dis­abled loca­tion ser­vices, we may still deter­mine your city, state, and coun­try loca­tion”.

Since becom­ing aware that the Guardian planned to pub­lish its sto­ry, the anony­mous app has also insert­ed a new line into its pri­va­cy pol­i­cy.

It now warns users that turn­ing on the app’s geolo­ca­tion fea­ture may “allow oth­ers, over time, to make a deter­mi­na­tion as to your iden­ti­ty”.