Friday, October 31, 2014

Messaging programs promising anonymity might not be as secure as you think

As information regarding the federal government's surveillance program continues to surface (some of which is pretty seedy), there's growing demand for platforms where people can post messages and interact with others anonymously. However, perhaps puzzlingly, what actually constitutes anonymity Anonymousisn't so easily defined. As WSJ Law Blog's Elizabeth Dwoskin recently wrote:

[T]here has never been more confusion about what the term means. Does it mean a company never knows the identity of its users, or is it enough for users to be anonymous to one another? Does it mean a company erases posts immediately after they appear or stores them internally?

Notwithstanding these questions, what's now clear is that some programs that claim complete secrecy aren't actually forthcoming about the software's limitations -- perhaps even intentionally misleading consumers as to the capability of achieving anonymity. For example, The Federal Trade Commission (FTC) recently settled with Snapchat after charging the company with "deciev[ing] consumers with promises about the disappearing nature of messages sent through the service."

Whisper is a similar service that purportedly doesn't collect data from users -- it even has labeled itself "the safest place on the Internet." But, as Dwoskin explains, The Guardian recently claimed it has been collecting information "on specific users whose posts it deemed potentially newsworthy" -- even on those "who had opted out of the app's location feature." Whisper, of course, disputes these allegations

The company said its location data was very imprecise, and that it discarded the information after a short time. It pointed out that many users deliberately tag their locations, and that its tracking practices are transparent...

Privacy experts [however] point out that vague information can be used to identify individuals by combining it with other information and zeroing in on patterns of behavior.

Whisper doesn't appear to have caught the FTC's attention quite yet, but making amends with those who demand anonymity -- or, at least, honesty -- will be a long row to hoe. As Professor Deirdre Mulligan told Dwoskin, “They are actively exploiting their access to transactional data to engage in surveillance as a new line of business." But there are ways to limit the disclosure of identifying information -- for instance, writes Dwoskin, by "includ[ing] separating transaction and identity data, truncating numbers such as device IDs and IP addresses that serve as unique identifiers, and blurring location data, as Whisper claims to do."

Whisper can perhaps be forgiven for failing to provide complete anonymity (even though it suggested it had the capability to do just that) -- it would be foolish for one ever to feel free to act with impunity. No program can completely protect users from data inquires by law enforcement, and "[s]oftware bugs can compromise user privacy" as well. Some basic data collection is just completely unavoidable. But, as Dwoskin concludes: "The question is whether companies are making a good-faith effort to protect privacy."

Web/Tech | Permalink


Post a comment