Sen. Rockefeller Questions Whisper's Privacy Practices

The anonymous social networking app Whisper, which touts itself as the “safest place on the Internet,” is facing questions from Capitol Hill about the company's privacy practices.

“Recent media accounts have raised serious questions regarding Whisper's practices and commitment to the terms of its own privacy policy,” Sen. Jay Rockefeller (D-W.Va.), head of the Senate Commerce Committee, wrote on Thursday in a letter to Whisper CEO Michael Heyward.

“The allegations in recent media accounts are serious, and users are entitled to privacy policies that are transparent, disclosed, and followed by the company,” he added. 

Rockefeller was referring to a series of articles that ran in the U.K. paper Guardian, which outlined several ways that Whisper allegedly falls short on its privacy promises. Among other potential problems, the newspaper reported that Whisper draws on data like IP addresses to track users' approximate locations -- even if they opt out of geolocation services.

Until last week, Whisper's privacy policy reportedly told users, “permission to our access to and tracking of your location based information is purely voluntary.”

The company's new privacy policy, posted on Oct. 13, now says, “please bear in mind that, even if you have disabled location services, we may still determine your city, state, and country location based on your IP address (but not your exact location).”

Last weekend, Heyward said in a post on Medium that Whisper doesn't collect “personally identifiable information,” which was defined as “names, email addresses, phone numbers, etc.”

But Heyward also says the company collects IP addresses, which it deletes after seven days. He says those addresses “make it possible to infer your city, state and country.”

In many cases, however, Internet service providers are able to identify people based on their IP address -- which is why ISPs often face requests for information about particular IP addresses. Record labels famously used this tactic in bringing lawsuits against people suspected of sharing files on peer-to-peer networks. The labels only brought those cases after obtaining court orders requiring ISPs to disclose names of individuals who were assigned the particular IP addresses seen on the networks.

Heyward also says in his Medium post that Whisper only collects precise GPS location from users who opt in, and that the company randomizes the data to within a 500-meter radius.

Another area of concern flagged by Rockefeller stems from the Guardian's report that Whisper uses an outpost in the Philippines to review data, even though its privacy policy said that data is stored in the U.S. Storing data in other countries is seem as risky to users, because it's not clear that information stored abroad will have the same privacy protections as data in U.S. servers.

The lawmaker also questioned Whisper's arrangements to share some content with outside organizations, like BuzzFeed and Fusion -- both of which suspended their partnerships with Whisper after the Guardian's articles were published.

“It is questionable, at best, whether users seeking to post anonymously on the 'safest place on the internet' would expect that WhisperText has information sharing relationships with third parties such as media organizations,” Rockefeller writes.

The lawmaker is asking Heyward to brief the Commerce Committee on a host of issues, ranging from its location-tracking practices to its policies regarding data sharing with media companies.

Heyward said in a statement that it shares “the Senator's interest in protecting consumer privacy and will respond shortly.” He added: “Though we disagree with the Guardian’s reporting, we welcome the discussion."



Next story loading loading..