How Whisper Tracks Users Who Don't Share Their Location 39
blottsie (3618811) writes "On Thursday, the Guardian reported that secret-sharing app Whisper was tracking users' locations even when they opt-out of sharing their location. [See also this earlier, related story.] Whisper has denied the accusations—but this may be a matter of semantics. Whisper allegedly uses an outdated version of GeoIP by MaxMind, which uses your IP address to estimate your location on a map. Whisper's Chad DePue said in a comment on Hacker News that the tool is "so inaccurate as to be laughable," suggesting that determining something as broad as your country or state won't bother the basic user (and he could be right, but what is and isn't an upsetting degree of user information is another argument entirely)."
accuracy (Score:3)
well, it it was accuracy to the planet, I would not be upset. ... or Uranus.
Unless I had a mistress on Mars
Meh... (Score:3)
...better delete your Apache logs, lest you be accused of tracking people's "locations."
Re: (Score:1)
I think it's important to point out that this wasn't incidental. The claim is not "They know your IP so they must know where you are !!?!"
They actively attempted to track people. It doesn't matter that their alternate method(GeoIP) is less accurate.
They've been caught demonstrating a disregard to your preference/request/requirement. No one should trust them to not lie farther further(using gps if possible). Or, at least, find a more accurate alternative tracking system.
I'm upset (Score:2)
to a degree I'm upset.
Re: (Score:2)
I don't get it.
Oh, wait a minute...
Re:if you opted-out.. (Score:4, Insightful)
principles? Wrong planet, buddy. This is business...
Not at all accurate (Score:5, Insightful)
Re: (Score:2)
just hide in this unsearched area - the one between 78.5 and 78.539 sq m.
Re: (Score:2)
Re: (Score:1)
My connection is on a dynamic IP address. The best any of those services can do is tell you what city my ISP's router is in, and one of the three services tested by iplocation.net (the service pointed to by TFA) managed to get it wrong. And, I'm not the least bit impressed by the claim that the author's location was correct withing 5 miles, as that still leaves anybody looking for you with just over 78.5 square miles to search.
So how inaccurate is something if you are generating this data all the time, wherever you travel, from one ISP to another, and post your subliminal text images all over the place. Suddenly a fuzzy picture starts to look much clearer, and you can be pinpointed with reasonable accuracy.
Re: (Score:1)
My connection is on a dynamic IP address. The best any of those services can do is tell you what city my ISP's router is in, and one of the three services tested by iplocation.net (the service pointed to by TFA) managed to get it wrong. And, I'm not the least bit impressed by the claim that the author's location was correct withing 5 miles, as that still leaves anybody looking for you with just over 78.5 square miles to search.
To accurately determine a cell phones location you need three or more towers which can be the case in a city. Without GPS being turned on and with three cell towers it is possible to get a location accuracy of a few 10's of meters or if you live in a none metric country approximately a few 10's of yards. A quick search will confirm what I have just said but you could look at this site [world-tracker.com] or you can try one of the 100 million plus hits I got with my search.
As per the above URL the accuracy was 100 m which i
Re: (Score:2)
Except that it's really not that dynamic.
Except that it really is that dynamic. Who speaks DHCP with their ISP anyway. Protip: Often is IPCP on a PPP link.
Of course, silly claims like this
n/c
Re: (Score:2)
Not everyone is on dynamic IP (Score:2)
Re: (Score:2)
Can TOR be used with this program to make it even harder to track?
Re: (Score:2)
Unfortunately not. TOR only obscures your source IP address from servers and peers that you are connecting to. It won't help for an application that is residing on your phone. You could use any number of the location spoofing frameworks that are used for testing applications to provide fake/random location data.
Re:Sorry. Non-issue. (Score:5, Insightful)
The issue isn't that they know where you are, the issue is that they're collecting and storing location-bsed data on users who thought they had explicitly opted out of having location data collected.
I presume they also are still collecting the IP addresses, which can be run against any geolocation software they want after the fact.
so: collecting location data? Not an issue.
Using Maxmind's geoIP service? Not an issue.
Asking customers if they want to opt out of having their location data stored, and then storing it anyway? THAT is an issue.
Location and content match (Score:1)
Whisper isn't about keeping random people from finding you, it's about keeping your friends from finding you. Because if you wanted them to know what you're posting, you'd use Facebook.
And the locations accuracy is very often enough, in conjunction with the content of the message, to reasonably suspect someone or even identify them.
Don't collect information you don't need (Score:5, Insightful)
Note to Chad: The issue is not how accurate the information is or isn't. This issue is that a truly anonymous service has no need for this information.
If you are providing an anonymous service, then accept the incoming socket, provide the service, and then promptly forget everything about the session. If it is logged, those logs can be requested or outright stolen by the world's TLA's. Even performing a GeoIP lookup without logging it has the potential to leak information from your service that can be collected by mass surveillance and correlated with other information.
Do not collect information that is not relevant to the service being provided. Period.
Re: (Score:2)
1000 times this. I have a general problem with centralized, for-profit services based in countries with known surveillance offering "anonymous" services to begin with, but for the love of all things sane in this world, if you're gonna try that, at least be hyper-aware of every shred of data you incidentally collect or cause to go across the wire.
Your IP address is as good as a GPS (Score:1)
Your IP address is as good as a location these days. Because the same IP will have some device on the NAT, your wifes phone, your ChromeBox, your thermostat even, in Android even if you turn off GPS, it still gives Goog permission to have your wifi sourced location which is as good as GPS in resolution except out in the wilds.
Wifi triangulation is as good as GPS and in towns and cities is often better than GPS. But they may also have the GPS signal.
The CLIENT for this information is buying from many sources
The issue is one of trust.. not tech details. (Score:1)
The issue is one of trust.. not tech details. Also, considering the rends it suggests there is no truth in anything related to business and/or gov and/or communications.
Simple.
Can Whisper prevent dupes? (Score:1)
It also says there is a technical backdoor that allows Whisper to pinpoint the location of users who have declined to share their location with the app, and that Zimmerman and another executive had requested staff to exploit it. But Zimmerman, fuming at the accusations, said such backdoors are "technically impossible."
Nonsense. The word "backdoor" is not really appropriate here, but of course there are methods (and they are very technically possible) to divine someone's location even if they've declined to share it. Geolocation has become astonishingly accurate in areas where ISPs and telcos are selling their subscriber phsyical-to-IP-address data. I'm not talking about the 500-meter resolution mentioned in the article, but the exact address (or coordinates of the exact address) that the subscriber's service is billed to
Yet another business getting caught (Score:2)
What is whisper? (Score:1)
I downloaded and used whisper the day it was released and continued for 6 months to a year.
During that time I watched the community grow. At its onset it was very small and people were nice. One of my first posts was responding to some young Asian woman who disliked the typical phenotype of rounded face and smaller nose and said she was teased often and wished she had more Caucasian features. I explained that the rounded face was definitely attractive to all males and her nose was adorable. She was pretty b
Criminal, as in FRAUD (Score:2)
So happy to hear about this again (Score:1)
The biggest problem is mobile (Score:2)
I've worked with MaxMind stuff on mobile IP location - as they guy says it's pretty useless. If the user is on wifi it's not too bad, at least the IPv4 stuff could pretty reliably get the state and often city. I never had any luck with IPv6 although they claim to support it better now.
The big kicker is if the user is on cellular - at least in the US most cell networks are natively IPv6, and they tunnel connections through giant NAT devices. This leads to two interesting effects - firstly the IPv4 address yo