Are ‘Whispered’ secrets really private?

Published 3:00 am Friday, May 31, 2019

The popularity of social media sites is obvious.  However, as their popularity increased, many became concerned about the over-sharing of personal information. In particular, many security advocates highlighted the potential dangers for misuse and abuse of the both the technology and data among our youth.

As a result, several years ago, a new variety of social media services appeared: anonymous social media.

One of the primary ideas behind anonymous social media efforts was to promote self-expression, without fear of retaliation. However, that ideal, despite its merits, often took a backseat to cyber-bullying, public defamation, and a wide-variety of other attacks that polluted the environments. In fact, the lack of account creation and the allure of anonymity seemed to promote immoral and unethical behavior among the sites and apps.

Sign up for our daily email newsletter

Get the latest news sent to your inbox

Secret and Yik Yak are apps that once promised anonymity and an opportunity to share content freely, promoting self-expression while encouraging authentic and safe communication among users. As with many technologies, good intentions were harmed as the services were used in increasingly harmful ways. As threats and risks arose from the anonymous environments, public pressure demanded a response from the purveyors of anonymous social media tools.

Safeguards were implemented among some of the tools, such as account creation, phone number registration. These efforts essentially eroded the promise of anonymity and, of course, the need to monetize the apps altered the landscape further.

Recently, media attention has turned to Whisper. Whisper debuted in 2012, offering a free anonymous tool for sharing of images and videos with text overlays. The anonymous posts are referred to as Whispers. The app advertises that it “Reads People’s Minds, Friend’s Minds, Stranger’s Minds, Everyone’s Minds.” Upon installing the app, you are immediately confronted with a request to enable location services. As with most of the anonymous posting applications, an enticement to “find” nearby users and share private, anonymous content attempts to entice the user to enable location services.

The app boasts a large user base. When you open the app, whispers appear – some are based on location and proximity, others are associated with popularity. Each whisper contains a secret, which is essentially text that an anonymous user provided with an image. Users can comment publicly or privately about the whispers, join groups, and participate in a quasi-chat exchange – users have a handle, a monicker, through which a form of identity is established.

The confessions offered through Whisper are diverse. When I first opened the app, a user proclaimed “I have no shame about telling my future kids that I used to be a stripper.” Others offered complaints about work, life, sports. Basically, users confess and hope that no one is able to identify them, which according to the developers fosters an environment whereby people can freely express themselves without fear of the content haunting them or suffering ill consequences.

The app details a robust privacy policy. Among the many statements, the document reveals that the company will comply with law enforcement requests, which is a bit of doublespeak – of course they will, but what will they divulge from an anonymous tool? The app logs activity, including location and network artifacts, perhaps for a variety of purposes. Among those are location-based advertisements. While using the app, part of the display exhibits a constant scrolling view of paid advertisements.

So from a technology perspective, the app is tracking not only location, but preferences, interactions, scores of data points. Most of those are used to better monetize the user’s activities through directed advertisements.

Recently, issues have been reported to law enforcement about abuse of Whisper. A threat to a school in the Northeast was reported and investigated by law enforcement, several reports of child pornography and sexual solicitation of minor children have been offered from several media outlets.

With the decline in use of popular social media platforms, such as Facebook, among teenagers and twenty-year olds, micro-social media sites have gained popularity, think SnapChat, Twitter. Among those, the anonymous sites are gaining users as well. Some theorize that the increase in adoption of quasi-anonymous platforms is based on greater awareness among youth of the dangers, challenges associated with chronicling one’s life for public consumption.  Or maybe, as one fellow security practitioner says frequently, “They’re tired of being the product.”

Whatever the reason, it’s summer and young people have a lot of time and access on their hands.

With traditional social media platforms like Facebook, we warn of the imposters, those who create fake social media accounts and pretend to be a friend or someone living nearby. While those social engineering efforts are commonplace, I suggest we not employ the same type of threat model to purported anonymous social platforms. By definition, the sites are designed for public confessions and sharing of personal thoughts – the notion of someone creating an account to fool or deceive another user isn’t consistent with environments such as Whisper. Everyone uses the tool seeking anonymity, yet, wanting to reveal personal thoughts. The notion of the would-be deceiver isn’t as apparent.

In essence, all of the users are pretending to be someone else: no one.

Instead, we should warn our youth that bad people will continue to abuse technology. Given that these tools aren’t truly anonymous, considering what you post and who you follow continues to be important.

Help your children through discussions and aid them in reviewing their use of these tools. As you step through these efforts, be aware of enhanced features of some common apps, such as the My Eyes Only feature of SnapChat.

Be aware and be safe.