Respected iOS researcher Jonathan Zdziarski has found many holes in Whisper’s claim to anonymity in a preliminary investigation of the app. “The social networking element of Whisper acts as secondary to the application’s subject tracking and analytics core,” he wrote.
Among his findings are that the app generates a unique user ID when someone runs the app for the first time:
These unique identifiers provide positive identification of the device that, given fingerprint and/or passcode authentication, can also serve as positive identification of an individual, eliminating any plausible deniability of the user’s identity. These user identifiers appear to exist for the life of the application, and are assigned even if the user wishes to remain anonymous while using the application.
Also, despite the fact that Whisper editor-in-chief Neetzan Zimmerman claimed that location data is “fuzzed” to a 500-meter radius, Zdziarski found that “the application requests a level of accuracy from Apple’s CoreLocation manager of no worse than 100 meters… CoreLocation will return results within this smaller radius of 100 meters, and often less.” Whisper chief technology officer Chad DePue told Zdziarski via tweet that the data is fuzzed on their side, but as Zdziarski points out, there is no way to verify this.
Tracking a unique identifier across the lifetime of an application could trivially be used by a company to build a history and profile for the subject, associating all of their former posts, photos, searches, and other stored data with a single identity. Any single message, then, containing identifying correspondence – or multiple messages containing different minor details that could be correlated to form an identity, will positively identify not only the user, but also correlate it to their entire history within the app. Further associating a GPS location to this data would, over the long term, easily provide enough information to determine the user’s identity, simply by analyzing the overlaps of geo-coordinates over a time period. Even if Whisper were to sanitize GPS data to 1km of accuracy, the overlaps across time would likely allow a much smaller radius to be determined. Keep in mind that 100 meters, or even 500 meters, is often still well within the domain of a person’s private property. Multiple data points distributed around that single location over a period of time can easily identify a person’s home address.
The researcher also gives some suggestions as to how the app could be improved in order to increase privacy protections. Head over to his blog to read the full post.