Skip to main content

Whistleblowers take note: Whisper and Secret aren’t that anonymous after all

Anonymously sharing classified information on social networks has had another layer of protection blasted away with news that two startups would turn over information to the authorities at the drop of a hat.

Related: The Snowden effect: How one whistleblower has made encryption cool

Secret and Whisper, which claim to allow users to communicate anonymously, both have a “whistleblowing” function that can act as a mouthpiece for users wanting to reveal information and users are being advised to read the small print before sharing anything.

Legal and security experts for Wired reviewed the terms of service and found that there are “broad exceptions in their anonymity protections” that mean the two service are, at best, a legal scandal waiting to happen. At worst the two are a trap for those sharing secrets that are in violation of an NDA or security clearance.

“They say you can use this app to tell the world whatever you want to anonymously, but when you start reading the privacy policy, you realize it’s not all that anonymous,” said Runa Sandvik, staff technologist at the Center for Democracy and Technology and a former developer for Tor. “As soon as law enforcements asks, they’ll turn over information about who said what and when.”

Whisper’s privacy policy states that it will reveal everything it knows about a user in certain situations that includes law enforcement investigations, subpoenas in civil disputes, or even just a claim of “wrongdoing” whilst using it.

Secret has much the same policy that means it warns users it will share information “in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, rule or regulation”. The same policy also contains a section headed “How We Respond to Subpoenas from Courts”.

Hanni Fakhoury, an attorney at the Electronic Frontier Foundation, explained that whilst the two services have little choice but to turn over information to the authorities, it’s the “doublespeak that’s problematic”.

“You have to be very careful about selling a program as a secure way to secretly communicate, and then reserve the right to turn over that information whenever necessary,” Fakhoury added.

This was apparently the case when Whisper investor spoke at the recent TechCrunch Disrupt conference and advocated the use of its service for whistleblowers, who he profiled as someone that “comes on to the service and says I work at the NSA and your president is abusing his constitutional powers and illegally reading your emails and listening to your phone calls.”

Related: Information will never be completely secure in data centres, so encrypt it

Whistleblowers sharing extremely sensitive information will have done the research on both services and won’t have even considered the two startups as the security doesn’t come close to that offered in the deep web or by secure software like SecureDrop and Globaleaks.