Whisper, an app that purports to send messages anonymously, has been tracking the location of its users, including those who have turned off their geolocation feature, The Guardian reported last week.
Even more incendiary than the location-tracking accusation, The Guardian also alleged that Whisper has identified smartphones used at military bases and has shared information gleaned from them with the U.S. Department of Defense.
The app is particularly popular with military personnel who use it to post anonymously, the paper noted.
The news is likely to be alarming to all of Whisper’s users, whether they are in the military or not. Whisper’s raison d’etre is to give users a way to reveal secrets without exposing their identity.
Whisper’s Fierce Denial
Whisper promptly responded to the report with firm and heated denials.
Whisper reportedly denied that it collects or stores any personally identifiable information from users, maintaining that its geolocation data can not be tied to an individual user.
The company further denied that it tracks users and characterized The Guardian’s allegations as false.
Did They or Not?
Post-Snowden, a denial might not be enough to quiet suspicions raised by a report, especially from a paper such as The Guardian, which in fact published many of former NSA contractor Edward Snowden’s extensive leaks on how the U.S. government had infiltrated networks, databases and phone systems believed to be private.
“When it comes to privacy, rule No. 1 for companies in e-commerce is to say what you do, and do what you say,” said Jeremy Mishkin, a partner at Montgomery McCracken Walker & Rhoads.
“If you promise not to collect personally identifiable information and then get caught doing just that, it’s not just a legal problem — it’s a huge customer relations problem,” he told the E-Commerce Times.” There is a long list of very well-known companies who’ve been through that cycle, and have found themselves involved in consumer class actions and government investigations as a result.”
It is unclear at this point what the truth is, Mishkin said. It could be that Whisper is, as it insists, entirely innocent. It could be that it is deliberately violating users’ trust, or it could be that it started out with the best of intentions and then found it necessary to scale back its initial promises, for whatever reason.
“I don’t know whether Whisper is right or wrong, but many websites have gotten tripped up by promising privacy and then compromising it, so it is not surprising that app builders are running into the same issues,” Mishkin said.
How to Market Complete Privacy
Increasingly, companies are marketing the promise of privacy by offering something they are not able to deliver, which is anonymity, Abine CEO Rob Shavelle told the E-Commerce Times.
“Something like Tor, which is an open source project many years in the making, can credibly claim to offer some anonymity,” Shavelle said.
However, “most of the new set of companies marketing privacy don’t offer anything remotely close. In fact, they offer nothing in terms of privacy a normal website wouldn’t offer,” he maintained. “The problem, ethically, is many of these companies are deliberately not being so clear.”