Anonymously sharing classified information on social networks has had another layer of protection blasted away with news that two startups would turn over information to the authorities at the drop of a hat.
Secret and Whisper, which claim to allow users to communicate anonymously, both have a “whistleblowing” function that can act as a mouthpiece for users wanting to reveal information and users are being advised to read the small print before sharing anything.
Legal and security experts for Wired reviewed the terms of service and found that there are “broad exceptions in their anonymity protections” that mean the two service are, at best, a legal scandal waiting to happen. At worst the two are a trap for those sharing secrets that are in violation of an NDA or security clearance.
Secret has much the same policy that means it warns users it will share information “in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, rule or regulation”. The same policy also contains a section headed “How We Respond to Subpoenas from Courts”.
Hanni Fakhoury, an attorney at the Electronic Frontier Foundation, explained that whilst the two services have little choice but to turn over information to the authorities, it’s the “doublespeak that’s problematic”.
“You have to be very careful about selling a program as a secure way to secretly communicate, and then reserve the right to turn over that information whenever necessary,” Fakhoury added.
This was apparently the case when Whisper investor spoke at the recent TechCrunch Disrupt conference and advocated the use of its service for whistleblowers, who he profiled as someone that “comes on to the service and says I work at the NSA and your president is abusing his constitutional powers and illegally reading your emails and listening to your phone calls.”
Whistleblowers sharing extremely sensitive information will have done the research on both services and won’t have even considered the two startups as the security doesn’t come close to that offered in the deep web or by secure software like SecureDrop and Globaleaks.