Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Whisper Tracks Users Who Don't Share Their Location

Posted by timothy on from the we'll-just-share-it-for-you dept.

blottsie (3618811) writes "On Thursday, the Guardian reported that secret-sharing app Whisper was tracking users' locations even when they opt-out of sharing their location. [See also this earlier, related story.] Whisper has denied the accusations—but this may be a matter of semantics. Whisper allegedly uses an outdated version of GeoIP by MaxMind, which uses your IP address to estimate your location on a map. Whisper's Chad DePue said in a comment on Hacker News that the tool is "so inaccurate as to be laughable," suggesting that determining something as broad as your country or state won't bother the basic user (and he could be right, but what is and isn't an upsetting degree of user information is another argument entirely)."

39 comments

  1. accuracy by Kvasio · · Score: 2

    well, it it was accuracy to the planet, I would not be upset.
    Unless I had a mistress on Mars ... or Uranus.

    1. Re:accuracy by Anonymous Coward · · Score: 0

      That's way too self-derogatory way of talking one's penis size. Even for me. The leakers of strategic information should be satisfied with 200km inaccuracy. That way they will survive the nuclear blast meant to silence them.

  2. Meh... by mythosaz · · Score: 2

    ...better delete your Apache logs, lest you be accused of tracking people's "locations."

    1. Re:Meh... by Anonymous Coward · · Score: 1

      I think it's important to point out that this wasn't incidental. The claim is not "They know your IP so they must know where you are !!?!"

      They actively attempted to track people. It doesn't matter that their alternate method(GeoIP) is less accurate.

      They've been caught demonstrating a disregard to your preference/request/requirement. No one should trust them to not lie farther further(using gps if possible). Or, at least, find a more accurate alternative tracking system.

  3. I'm upset by Virtucon · · Score: 1

    to a degree I'm upset.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:I'm upset by wonkey_monkey · · Score: 1

      I don't get it.

      Oh, wait a minute...

      --
      systemd is Roko's Basilisk.
  4. Not at all accurate by techno-vampire · · Score: 5, Insightful

    My connection is on a dynamic IP address. The best any of those services can do is tell you what city my ISP's router is in, and one of the three services tested by iplocation.net (the service pointed to by TFA) managed to get it wrong. And, I'm not the least bit impressed by the claim that the author's location was correct withing 5 miles, as that still leaves anybody looking for you with just over 78.5 square miles to search.

    --
    Good, inexpensive web hosting
    1. Re:Not at all accurate by Kvasio · · Score: 1

      just hide in this unsearched area - the one between 78.5 and 78.539 sq m.

    2. Re:Not at all accurate by santax · · Score: 1

      Keyword, correlation. They can track you a lot closer than those 5 miles, but it doesn't matter. They know who you are, by correlation. It's not important if you happen to stand on 23th or 24th street.

    3. Re:Not at all accurate by alphatel · · Score: 1

      My connection is on a dynamic IP address. The best any of those services can do is tell you what city my ISP's router is in, and one of the three services tested by iplocation.net (the service pointed to by TFA) managed to get it wrong. And, I'm not the least bit impressed by the claim that the author's location was correct withing 5 miles, as that still leaves anybody looking for you with just over 78.5 square miles to search.

      So how inaccurate is something if you are generating this data all the time, wherever you travel, from one ISP to another, and post your subliminal text images all over the place. Suddenly a fuzzy picture starts to look much clearer, and you can be pinpointed with reasonable accuracy.

      --
      When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
    4. Re:Not at all accurate by donaldm · · Score: 1

      My connection is on a dynamic IP address. The best any of those services can do is tell you what city my ISP's router is in, and one of the three services tested by iplocation.net (the service pointed to by TFA) managed to get it wrong. And, I'm not the least bit impressed by the claim that the author's location was correct withing 5 miles, as that still leaves anybody looking for you with just over 78.5 square miles to search.

      To accurately determine a cell phones location you need three or more towers which can be the case in a city. Without GPS being turned on and with three cell towers it is possible to get a location accuracy of a few 10's of meters or if you live in a none metric country approximately a few 10's of yards. A quick search will confirm what I have just said but you could look at this site or you can try one of the 100 million plus hits I got with my search.

      As per the above URL the accuracy was 100 m which if you have done basic trigonometry (assuming a circle which is A = pi x r^2) is 7,850 square meters. Actually the area of location would be an ellipse (area = pi x small radius x large radius) not a circle (I used this for simplicity) which would be an even smaller area again. Of course if GPS was turned on then location accuracy would be down to a few meters such that the cell phone being tracked could be accurately located to a small room within a building.

      I think the bottom line is to ask the question "Do you trust your applications?" if you don't then don't use a smart phone or if you are really paranoid don't carry a cell phone, make sure you have checked your clothing for bugs and carefully check to make sure no one is following you. :)

      --
      There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
    5. Re:Not at all accurate by Anonymous Coward · · Score: 0

      The accuracy needed depends also on the purpose of gathering information. What if the point is not to provide real-time location tracking but to roughly categorize data by country of origin -- that's pretty valid for IP address the vast majority of the time (unless you're VPNned across borders, which is rare).

      The NSA is supposed to treat US-originating data differently from non-US data. An IP address would give them a rule-of-thumb as to how to treat the data. Likewise, two-factor authentication by phone number adds at least a level of certainty to what country data is from: even an anonymous burner phone has a country code, which tells you that any data accounts authenticated by that number as one of the two factors have a connection to that country.

    6. Re:Not at all accurate by fisted · · Score: 1

      Except that it's really not that dynamic.

      Except that it really is that dynamic. Who speaks DHCP with their ISP anyway. Protip: Often is IPCP on a PPP link.

      Of course, silly claims like this

      n/c

      --
      CLI paste? paste.pr0.tips!
    7. Re:Not at all accurate by Anonymous Coward · · Score: 0

      You might look into this "just over" phrase. It can be quite useful.

    8. Re:Not at all accurate by digsbo · · Score: 1

      What if someone wanted to know where you weren't? That can be just as damaging.

    9. Re:Not at all accurate by Anonymous Coward · · Score: 0

      Have you heard of PPP? My ISP leases me a network address for 24 hours, and then transparently changes it after the expiry of that time period. Or, I can simply disconnect and then reconnect to get a new one.

    10. Re:Not at all accurate by antdude · · Score: 1

      Can TOR be used with this program to make it even harder to track?

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    11. Re:Not at all accurate by Fnord666 · · Score: 1

      Can TOR be used with this program to make it even harder to track?

      Unfortunately not. TOR only obscures your source IP address from servers and peers that you are connecting to. It won't help for an application that is residing on your phone. You could use any number of the location spoofing frameworks that are used for testing applications to provide fake/random location data.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  5. Sorry. Non-issue. by Anonymous Coward · · Score: 0

    We all know how weak those location services are. This isn't really the huge issue some people want it to be.

    1. Re:Sorry. Non-issue. by Em+Adespoton · · Score: 5, Insightful

      The issue isn't that they know where you are, the issue is that they're collecting and storing location-bsed data on users who thought they had explicitly opted out of having location data collected.

      I presume they also are still collecting the IP addresses, which can be run against any geolocation software they want after the fact.

      so: collecting location data? Not an issue.

      Using Maxmind's geoIP service? Not an issue.

      Asking customers if they want to opt out of having their location data stored, and then storing it anyway? THAT is an issue.

    2. Re:Sorry. Non-issue. by Anonymous Coward · · Score: 0

      Then why are they using them at all then? Seems someone is backpedaling with bullshit.

  6. Location and content match by Anonymous Coward · · Score: 1

    Whisper isn't about keeping random people from finding you, it's about keeping your friends from finding you. Because if you wanted them to know what you're posting, you'd use Facebook.

    And the locations accuracy is very often enough, in conjunction with the content of the message, to reasonably suspect someone or even identify them.

  7. Don't collect information you don't need by rhysweatherley · · Score: 5, Insightful

    Note to Chad: The issue is not how accurate the information is or isn't. This issue is that a truly anonymous service has no need for this information.

    If you are providing an anonymous service, then accept the incoming socket, provide the service, and then promptly forget everything about the session. If it is logged, those logs can be requested or outright stolen by the world's TLA's. Even performing a GeoIP lookup without logging it has the potential to leak information from your service that can be collected by mass surveillance and correlated with other information.

    Do not collect information that is not relevant to the service being provided. Period.

    1. Re:Don't collect information you don't need by griffjon · · Score: 1

      1000 times this. I have a general problem with centralized, for-profit services based in countries with known surveillance offering "anonymous" services to begin with, but for the love of all things sane in this world, if you're gonna try that, at least be hyper-aware of every shred of data you incidentally collect or cause to go across the wire.

      --
      Returned Peace Corps IT Volunteer
  8. Re:if you opted-out.. by fustakrakich · · Score: 4, Insightful

    principles? Wrong planet, buddy. This is business...

    --
    “He’s not deformed, he’s just drunk!”
  9. The issue is one of trust.. not tech details. by MonsterMasher · · Score: 1

    The issue is one of trust.. not tech details. Also, considering the rends it suggests there is no truth in anything related to business and/or gov and/or communications.
    Simple.

  10. Can Whisper prevent dupes? by Anonymous Coward · · Score: 1

    It also says there is a technical backdoor that allows Whisper to pinpoint the location of users who have declined to share their location with the app, and that Zimmerman and another executive had requested staff to exploit it. But Zimmerman, fuming at the accusations, said such backdoors are "technically impossible."

    Nonsense. The word "backdoor" is not really appropriate here, but of course there are methods (and they are very technically possible) to divine someone's location even if they've declined to share it. Geolocation has become astonishingly accurate in areas where ISPs and telcos are selling their subscriber phsyical-to-IP-address data. I'm not talking about the 500-meter resolution mentioned in the article, but the exact address (or coordinates of the exact address) that the subscriber's service is billed to. Geolocation no longer just ties you to a city, IP address alone will get right down to where you're sitting, or where your ISP/telco thinks you're sitting.*

    "That was never said by anyone. I have no idea where that quote came from. I have no idea what they're talking about. I have never, ever, ever asked anybody in my life, and would never ask anybody, for information on a user who opted out of user location. That cannot be overemphasized. That is a 100 percent lie."

    This seems like deflection and the denial is a bit over the top. The only words in the quote he's talking about are "latitude and longitude." Really, he's never once, even in passing, asked what his team might know about User X or whether they had coordinates for a post from User Y?

    He added that no change was made to the app's privacy policy as a response to the Guardian's story.

    So the rewording of multiple clauses and the addition of others, just a couple of days after learning of the Guardian article, is all coincidence? Given the fact that the TOS changes specifically address the issues that the Guardian raised, I'm not buying that at all.

    You know, I might be tempted to sympathize with Whisper and with Zimmerman but for one fact, the Guardian reporters were there. They saw and heard these things first-hand. They have no reason to fabricate any of this. Paul Lewis in particular has a pretty stellar reputation and I don't see him throwing it away to write a bogus trash piece about some social app. It looks to me like Whisper was caught with their collective pants down, they've since gone and bought a belt, and now they should just own up to it.

    * I have a unique situation where I can prove this and reproduce it. I was roommates with a buddy of mine for 8 months up until August, and because I'm a lazy ass and we see each other every day anyway, I haven't changed my address. My Sprint phone service is still billed to that apartment in the Fairmount Park area (Philly). I have Comcast internet at my new apartment in East Falls. I noticed by accident that Google Maps picks up on my old and new addresses and it's repeatable with these steps,

    - Disable GPS and wireless on my phone

    - Force my cable modem to get a new IP

    - Go to Google Maps on my computer, it defaults to the center of Philly based on generic geodata, Google has nothing specific to link me to yet

    - Enable wireless on the phone, leave GPS disabled

    - Return to Google Maps on my computer 6 or 8 hours later, it now puts me at my old apartment (where Sprint thinks I live). Something on the Android phone has checked in with Google, Google doesn't have good geodata on my Comcast IP, so it apparently grabs my location through the phone's advertising ID which is tied to my Sprint bill at my old apartment.

    - Return to Google Maps 24 hours later, it correctly puts me at my new apartment (where Comcast knows I am). Google has received updated, very accurate geodata from Comcast about my IP, I guess they get fresh data every 12 or 24 hours.

    All of this while browsing securely, not accepting any Google cookies, not logging into any Google accounts, no GPS or location services are turned on, etc. It's kind of scary how accurate this has become.

    1. Re: Can Whisper prevent dupes? by Anonymous Coward · · Score: 0

      On one hand, many people are hard at work creating things such as this because clueless users want that gee whiz factor. They don't know how this works but it is amazing. If for any reason a user was not able to locate themselves they would conclude that their phone sucks.

      On the other hand...what the fuck google?

  11. Yet another business getting caught by Stan92057 · · Score: 2

    Yet another business getting caught lying to their customers. Welcome to the 20th century, A few more famous liers: Google, Apple, Microsoft, Oracle, Adobe, AOL. What a wonderful century we live in wouldn't ya say?

    --
    Jack of all trades,master of none
  12. What is whisper? by Anonymous Coward · · Score: 1

    I downloaded and used whisper the day it was released and continued for 6 months to a year.

    During that time I watched the community grow. At its onset it was very small and people were nice. One of my first posts was responding to some young Asian woman who disliked the typical phenotype of rounded face and smaller nose and said she was teased often and wished she had more Caucasian features. I explained that the rounded face was definitely attractive to all males and her nose was adorable. She was pretty beautiful and didn't know it. Responded with a happy smiling selfie referencing me.

    People traded compliments and helpful advice about their secrets. On weekends we would get drunk and post nudes. Good times.

    A few months as a feature on the App Store and a few pervs found it. They assumed it was a dating app. Now instead of nice replies or selfies or clever staged photo responses any woman received dick pics in response. Report them and they would go away sometimes before the op saw them. The community was degenerating but holding on. Whisper implements nudity detection. Beautiful women gone. Dick pics gone. Fine. Fair enough.

    Apparently they continued the dick pic onslaught via pm. But at least it wasn't public. Cest la vie.

      I started noticing a very angry creepy guy was less than 1 mile from me. Oh, and a drag queen that posted every thought they had. Typically about wanting butt secs and that they had trouble finding a job and, yeah. White boy butt secs. Great 1 mile away. These are my neighbors.

    I started going outside less.

    Then whisper advertised on Facebook. Suddenly everyone's "secret" was that their significant other was an asshole. The selfies looked like they were missing a chromosome and the replies to genuine secrets were typically pretty mean. Everyone thought it was Instagram and would post pictures of themselves in a bathroom or their food or talk about how much they loved Arby's or mcdonalds or their shoes.

    People made up random crap trying to get to the top of the featured or global list. Everyone was a single mom or go America, I'm a soldier or whatever. People would rip off memes and crap you saw on Facebook and throw it up as their own story.

    Fame on an anonymous network? What the fuck?

    I started reporting them all.Imagine Facebook content mixed with YouTube comments.

      On one occasion shortly after my brother's passing I noticed a familiar stripper post something about her kid and then something about cocaine use. I mention my brother had passed because of coke and she responded with "soz not soz". It had gone from trolling to legitimate pieces of human crap. I was done.

    The entire time, I was known as a kind and funny guy. I never formed any lasting friendships (not the point) but I hoped that I had gave helpful advice or made someone laugh. My last post was me with a broken nose splint seemingly trying to bite my chihuahua. A goofy moment, but genuine. Something that was incredibly out of place in the new whisper, but classic in the old atmosphere. Highest rated post I ever got. Maybe there were still normal people out there? Oh well. Deleted.

    I can only imagine what it is like now.
    But all I can say is that if anyone is still using it they're the type of people who would not care one bit about this. They're like morloks at this point.

  13. Not at all accurate by Anonymous Coward · · Score: 0

    > My connection is on a dynamic IP address

    Except that it's really not that dynamic. In most DHCP environments, the same IP address is re-assigned to the same MAC address until and unless the DHCP lease expires. When a VLAN is renumbered, or someone explicitly clears the DHCP cach from the local servers and forces a renumbering, you get a different IP address. Go read https://www.ietf.org/rfc/rfc2131.txt to get a better understanding, and actually read the manual pages on the "dhcp" software your environment uses.

    Of course, silly claims like this are why corporate security managers are so useless. Because they don't bother to actually know the technology, and they are specifically taught to ignore it for reasons of plausible deniability.

  14. Criminal, as in FRAUD by Jawnn · · Score: 1

    This kind of thing is inexcusable. It is clearly unethical and it should be illegal. Think we'll get a law like that passed? No, I mean one that doesn't tie the hands of our friend, the government, whom we must entrust with secret powers to keep us safe. I just mean shady operators like Whisper..., and Google.

  15. Your IP address is as good as a GPS by Anonymous Coward · · Score: 1

    Your IP address is as good as a location these days. Because the same IP will have some device on the NAT, your wifes phone, your ChromeBox, your thermostat even, in Android even if you turn off GPS, it still gives Goog permission to have your wifi sourced location which is as good as GPS in resolution except out in the wilds.

    Wifi triangulation is as good as GPS and in towns and cities is often better than GPS. But they may also have the GPS signal.

    The CLIENT for this information is buying from many sources and can cross link the various pieces of data. So soldiers are reporting abuses of power thinking their anonymous, and their message is read, their IP and time located, another database used to pull up the location from another source (e.g. a VOIP app, a map lookup etc.), another to pull up their phone, another to pull up their ID, their wife, their friends....

    This fake 'private' service is one jigsaw piece in a massive $10 billion surveillance operation.

  16. So happy to hear about this again by Kvathe · · Score: 1

    http://yro.slashdot.org/story/...

  17. Not everyone is on dynamic IP by dutchwhizzman · · Score: 1

    There are plenty of people that are on a static IP that is tied to the box in the end of the street or a few streets further away. Not only that, but depending on what other characteristics they may find on your usage of the line/IP, they can still tie it to you without reasonable doubt if they have estmated location. Even "some doubt" may be enough for an employer to finger out you are behind something and things could cost you your job.

    --
    I was promised a flying car. Where is my flying car?
  18. The biggest problem is mobile by radish · · Score: 1

    I've worked with MaxMind stuff on mobile IP location - as they guy says it's pretty useless. If the user is on wifi it's not too bad, at least the IPv4 stuff could pretty reliably get the state and often city. I never had any luck with IPv6 although they claim to support it better now.
    The big kicker is if the user is on cellular - at least in the US most cell networks are natively IPv6, and they tunnel connections through giant NAT devices. This leads to two interesting effects - firstly the IPv4 address you see on the server is located at some random data center usually on the other side of the country from the user. Secondly, the IP (and therefore the data center) keeps changing - sometimes multiple times within a few minutes. Doing any kind of tracking leads to a device which appears to keep hopping back and forth between California and Kansas.

    This Microsoft Research whitepaper talks more about these issues.

    (and before anyone jumps on me for the privacy implications of trying to do this - in my specific case it was tracking devices in an enterprise environment for security purposes and everyone involved had given informed consent)

    --

    ---- Den ene knappen er powerknapp, den andre er Bender voice knapp "Bite My Shiny Metal Ass"