Concerns over just how anonymous the secret-sharing app Whisper is are back in the news, and the company is once again suggesting that there’s no way it could track its users’ exact location. There’s just one problem: That’s almost certainly not true.
To be clear: Whisper emphatically denies that it tracks users that precisely. But that’s not the same thing as saying it can’t.
Last October, the Guardian ignited a privacy firestorm with a series of reports that claimed Whisper monitors the whereabouts of users—even those who had specifically opted out of location sharing—and could track their position within a 500-meter radius. Much of the furor surrounds the fact that Whisper knows and stores its users’ “IP addresses“—a numerical label that identifies a computer or smartphone to the Internet.
At the time, Whisper acknowledged that it has access to and stores user IP addresses, but disputed the Guardian’s specific claims that it used them to pinpoint user locations. Then on Wednesday, the Guardian issued a clarification of its original reports that, well, failed to clarify much of anything. It states, in part:
We reported that IP addresses can only provide an approximate indication of a person’s whereabouts, not usually more accurate than their country, state or city. We are happy to clarify that this data (which all Internet companies receive) is a very rough and unreliable indicator of location.
On Wednesday, Whisper thanked the Guardian for “issuing corrections and setting the record straight.” The company went on to insist that its service “is and always has been totally committed to the privacy of everyone who uses our product.”
From A Whisper To A Scream
The Guardian’s clarification, however, is itself inaccurate: It’s not all that difficult to precisely locate many individuals by IP address. And Whisper’s own previous statements make clear that the service collects all the data it would need to pinpoint the location of many users.
It’s just that Whisper is choosing not to do so—and is now apparently hiding behind the Guardian’s own inaccurate clarification to further obscure the issue.
“IP addresses can provide an exact location of a person’s whereabouts,” says Nate Cardozo, a staff attorney on the Electronic Frontier Foundation’s digital civil liberties team. That’s because while some IP addresses are in fact only loosely connected to specific geographic locations, many others—particularly those associated with Wi-Fi hotspots—are much easier to geolocate.
For instance, commercial outfits such as Skyhook Wireless can provide very specific location data based on hotspot IP addresses. Such companies have amassed large databases that correlate hotspot locations with the IP addresses they—and, by extension, anyone connected to the Wi-Fi network—use, via a combination of direct hotspot scanning and the cooperation of app “partners” who pass along hotspot IP data from users as they connect.
In other words, if you connect to Whisper over Wi-Fi, Whisper could turn to a service such as Skyhook to determine your specific address and even the floor you are on when using the app. By contrast, connecting to the app using your carrier’s network would deliver only your general location—typically the city, state and country you’re in. (That appears to be what the Guardian was clumsily getting at in its clarification.)
“Whisper currently does not and has never subscribed to a service like Skyhook,” a company spokesperson told me in an email. That, of course, wouldn’t preclude Whisper from doing so in the future.
A Low Whisper
When I asked Whisper for further clarification, the spokesperson declined to comment beyond the statements noted above and a reference to an October 2014 Medium post by Whisper founder and CEO Michael Heyward.
In that post, Heyward acknowledged that Whisper collects user IP addresses, although he said it deletes them after seven days. He implied that IP addresses could only be used to “infer your city, state and country,” adding that “[w]e do not actively track users.”
At roughly the same time, Whisper CTO Chad DePue similarly argued in a Hacker News post that the company uses an old “geoip database” to assign locations to IP addresses that is “so inaccurate as to be laughable.” DePue added that the company further randomizes location information before it saves it to its database.
DePue’s post drew this sardonic response from security research Moxie Marlinspike:
There’s a huge difference between “can’t” track and “won’t” track. Right now you’re claiming “can’t,” but it sounds like you’re squarely in the “won’t” category of having your servers “avert their eyes.” I think this understandably makes people uneasy, particularly given the data mining direction it sounds like the company is headed.
Users can prevent apps and websites from tracking their IP-address location data by using a VPN. But Whisper could also respect the wishes of users who opt out of providing their location to the app—which it has failed to do, according to the Guardian.
The EFF’s Cardozo argues it this way:
If a consumer tells an app not to collect the consumer’s location data, the app should respect that decision. If the app doesn’t respect that decision, especially if it gives the user a choice, I think that’s unfair.
Lead image by Calsidyrose