Whisper Just Wrote A 5 Page Response To A Scathing Security Report: 'We Do Not Track Or Follow Our Users'
Whisper has come out with a five page statement rebuking The Guardian, which it says is full of "lousy falsehoods."
"Whisper does not collect nor store any personally identifiable information from users and is anonymous," the company said in an emailed statement to Business Insider. "There is nothing in our geolocation data that can be tied to an individual user and a user's anonymity is never compromised. Whisper does not follow or track users. The Guardian's assumptions that Whisper is gathering information about users and violating user's privacy are false."
Here's the full statement, below:
Whisper does not collect nor store any personally identifiable information (PII) from users and is anonymous. To be clear, Whisper does not collect nor store: name, physical address, phone number, email address, or any other form of PII. The privacy of our users is not violated in any of the circumstances suggested in the Guardian story.
The Guardian staff, including its CEO and multiple members of the US editorial team, have met with, partnered, and worked with Whisper since February 2014 and published multiple stories utilizing Whispers, with full understanding of our guidelines. The Guardian's assumptions that Whisper is gathering information about users and violating user's privacy are false.
Here are a number of articles written, produced, and published by The Guardian with full knowledge and understanding of the process of news gathering at Whisper:
More generally, all of the assertions below are either totally false or have been openly disclosed by Whisper executives and reported as such:
1: Whisper is using data to ascertain the geographical coordinates of smartphones belonging to users who have expressly opted out of the geolocation service on the app, in an apparent breach of the company's terms of service, which state: "Your permission to our access to and tracking of your location based information is purely voluntary, and, accordingly, you may freely opt-in of or opt-out of and determine the level of specificity of the same."
This is not true. We neither receive nor store geographical coordinates from users who opt out of geolocation services. User IP addresses may allow very coarse location to be determined to the city, state, or country level.
Even for users who opt into geolocation services, the location information that we do store is obscured to within 500 meters of their smartphone device's actual location.
There is nothing in our geolocation data that can be tied to an individual user and a user's anonymity is never compromised.
2: Whisper is retaining indefinitely Whisper postings and associated user data in a searchable database - even messages which users believe have been deleted - in an apparent breach of your own terms of service, which state: "Because of Whisper's real-time nature, usage data, posted content, and comments may be stored for a brief period of time."
Whisper may retain posted content for a brief period of time as stated in our terms of service, however, the internal database contains no personally identifiable information and is secure/access-audited, and not publicly accessible.
3: Whisper is closely monitoring, tracking and following users it believes are potentially newsworthy, researching their history of activity on the app and previous locations. This is a breach of the spirit of anonymity promised to users and counter to public statements made by Whisper CEO, Michael Heyward, on the subject. Among the many targeted are users who appear to work at McDonalds, WalMart, Yahoo, Disney, a range of secretive US military bases and secure government buildings, a DC lobbyist and a user based on Capitol Hill.
Whisper does not follow or track users. Whisper does not request or store any personally identifiable information from users, therefore there is never a breach of anonymity. From time to time, when a user makes a claim of a newsworthy nature, we review the user's past activity to help determine veracity.
Whisper does, however, surface and curate thematic narratives from users who are not personally identifiable either to Whisper employees or to the public writ large.
Furthermore, workplace information from Whisper users is always volunteered without solicitation or prompt, and users share any information about their workplace publicly. More info.
Most importantly, your assertion that Whisper's editorial efforts are "counter to public statements made by Whisper CEO, Michael Heyward" is demonstrably false. Below is a link to one of many interviews conducted by Michael Heyward, in which he specifically addresses Whisper's editorial strategy.
4: Whisper's editorial staff are using the app's private messaging service to engage in conversation with users without initially disclosing they work for the company. This is in order not to spook or alarm users who may be surprised about the contact. You advised us as journalists to initially conceal our true identity. The real intentions of these communications are only disclosed once a conversation has been started.
This is untrue. After greeting a user or saying hello, the Whisper team always immediately discloses that they work at Whisper. At no time did any Whisper team member suggest to anyone that they conceal their identity as a reporter. In fact, Guardian reporter Dominic Rushe, unprompted, expressed comfort with concealing his own identity.
It is also vital to emphasize that no information exchanged between a user and a member of the Whisper team through the service is ever handed off to a third party without the explicit written consent of the user. If a user does not consent to the interaction being made public, the exchange ends and no further contact is made.
5: In addition to Whisper's LA-based news team, the company has employed 200 people in the Philippines to monitor messages posted on the app. You told us their job is primarily to filter out messages which abuse the company's code for users and they are also trained to identify postings that are potentially newsworthy. What access to metadata do these people have and what security measures do you have in place?
Whisper maintains a team of over 100 content moderators in the Philippines to moderate publicly posted content and enforce our safety guidelines. Whisper does not moderate or monitor private messages in chat.
Moderators in the Philippines never participate in identifying Whispers that are potentially newsworthy. No one at Whisper ever claimed that they did.
Our process is extremely secure and our moderation team never has access to personally identifiable information because we do not have any.
6. You said the company "usually" requires a subpoena or court order before passing information to law enforcement authorities, but added there have been times when the company has bypassed that process to provide user data to the FBI or the British secret service, MI5. You said this information is occasionally provided voluntarily to law enforcement, unsolicited.
We note your terms of service say you will "only respond to valid, legal process from a US law enforcement authority or court". Also, Whisper's approach to passing user information to law enforcement appears to be less stringent than other tech firms such as Twitter, Google, Microsoft and Yahoo that state they require a warrant signed by a judge under the electronic communications privacy act (ECPA).
Your quote above is not from our TOS/Privacy Policy. Here is the section in our Privacy
Policy about this issue:
Compliance with Laws and Law Enforcement
WhisperText cooperates with government and law enforcement officials to enforce and comply with the law. We may therefore disclose Personal Information, Usage Data, Message Data, and any other information about you, if we deem that it is reasonably necessary to: (a) satisfy any applicable law, regulation, legal process (such as a subpoena or court order) or enforceable governmental request; (b) enforce the Terms or the Services, including investigation of potential violations thereof; (c) detect, prevent, or otherwise address fraud, security or technical issues; or (d) protect against harm to the rights, property or safety of WhisperText, its users or the public as required or permitted by law.
We comply with the legal process in all instances. We respond to both subpoenas and preservation requests from law enforcement. Whisper is not a place for illegal activity.
Whisper has always been public about the fact that we will proactively report threats of violence or anything dangerous involving a minor (or child abuse) to law enforcement out of public safety concerns. More info.
Again, Whisper does not have any personally identifiable information from users that can be shared.
7: Whisper is also cooperating with the US Department of Defense, sharing data for a multi-year study into the frequency of mentions of suicide or self-harm from smartphones that are used in US military bases or compounds. We can find no evidence of your having notified users about this study.
We're proudly working with many organizations to lower suicide rates and the US military is among them. We have referred more than 40,000 people to the National Suicide Prevention hotline and hear from Whisper users every day that Whisper saved their life. We are not sharing specific user data with any organization. We noticed how frequently suicide is mentioned among those living on US military bases or compounds and reached out to organizations to see how we could work together to address this important issue.
We have publicly shared similar aggregated PTSD statistics that are absent of any personally identifiable information, as, again, we do not collect or store PII.
8: Whisper has developed a Chinese-version of its app, which received a soft-launch last week. Unlike major tech companies such as Facebook and Twitter, which are blocked in mainland China, Whisper has agreed to the government's terms - including a ban on certain words appearing on its app. We would be grateful if you could tell us whether you plan to cooperate with requests from the Chinese government for user data?
We haven't launched in China but we operate in many countries and comply with the same local laws and regulations as other US-based technology companies that operate internationally do. Again, Whisper does not collect or store any personally identifiable information from users that can be shared.
9. In general, the information we were exposed to revealed that Whisper's internal practices contrast strongly with Michael Heyward's public declarations, the company's terms of service and the expectations of users who are downloading the app in growing numbers in the belief their privacy and anonymity will be closely protected.
This is untrue. Whisper does not collect nor store any personal identifiable information from users therefore their privacy and anonymity are always protected.
Additionally, it important to emphasize that Whisper and every user-generated "Whisper" text-over-image is entirely public (while the contents of private chat are not), and users are fully aware of this fact. The internal tools shared with The Guardian's reporters during their stay at Whisper HQ, while more robust than public search functionality, do not afford Whisper team members any additional insight into a user's identity, as, again, Whisper does not collect nor store any personally identifiable information of any sort or kind.
Lastly, as stated above, Whisper is not a place to make violent or child-endangering threats, and we will proactively notify law enforcement in order to protect our users and the public.