Bad news for whistleblowers. Secret is far less secret than you think

By Yasha Levine , written on June 5, 2014

From The News Desk

"Don’t worry, your data is safe with us." —Secret FAQ
"A court order without probable cause or even a subpoena may be enough for law enforcement or for a civil litigant to demand records." — ACLU

* * * *

In this post-Snowden world of ours, privacy isn't so much an ideal as a marketing gimmick.

So it didn’t come as a surprise in early 2014 — about six months after Edward Snowden leaked his NSA files —when  two ex-Googlers launched Secret, a mobile app that they promised would revolutionize the way people talked online. The key: anonymity.

The app’s founders, Chrys Bader-Wechseler and David Byttow, described Secret as “an entirely new layer of communication” that would allow people to escape the perverse surveillance culture that dominates the Internet, giving them a space where they can share their most personal thoughts and experiences with impunity, without fear of being ridiculed or judged or identified.

As they explained in a post just after launching…

As social networking has become universal, we’ve become increasingly sensitive to what we share online. Speaking on a stage in front of a mixed audience of family, friends, and acquaintances makes it hard for us to be our most authentic selves. As a result, we tend to share only our proudest moments in an attempt to portray our best selves. We filter too much, and with that, lose real human connection. . . . Sometimes showing approval of controversial content can be embarrassing or intimidating. On Secret, these things are done anonymously, so you can freely endorse what you see.
The app itself is simple enough: It lets users post short messages, which get sent out anonymously to their list of mobile phone contacts. And if the post is liked by a bunch of people, it gets broadcast out to an even larger network: contacts, contacts of contacts, contacts of contacts of contacts…and on and on.

Because Secret is tied to a person’s phone number, users don’t need to create accounts (update: they do, see below). All they need to do is download the app and share their innermost thoughts anonymously. Millions upon millions of people have posted countless secrets about depression, loneliness, suicidal thoughts, cheating and ridiculous medical advice.

“Every time I go spinning, I loose [sic] feeling in my penis. That can’t be good, right?”
But Secret isn't just for personal and embarrassing stuff. In the first few months after launch, the app became a platform for all sorts of Silicon Valley insider gossip and rumormongering.

Someone at Nike used the app to leak news that the company was laying off its Fuelband developer team. Someone else spilled the beans on Google exec Vic Gundotra’s hush-hush departure from the company weeks before the announcement was supposed to be made public. Another Secret user "leaked" news that Evernote was about to be acquired — a rumor that turned to be some kind of prank.

These corporate rumors might not have lit the world on fire, but they raised a serious question: With its guarantee of anonymity and privacy, Secret is likely to attract corporate and government whistleblowers. Are Secret's anonymity protocols strong enough to protect their identities?

Secret wasn’t initially designed with whistleblowing in mind, but the app’s founders have since embraced the idea. “[W]e constantly ask ourselves is whistle-blowing important, and we think so,” Bader-Wechseler told the BBC.

Secret never misses an opportunity to brag about the steps its taken to safeguard and protect people’s identities.

Security is a top priority -- We take all reasonable measures to protect information about you from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction.

We care about your privacy and anonymity -- We don’t offer usernames or profile photos to anonymize all content. We ensure posts on Secret can’t be traced back to you by another user. Posts can't be traced back to you? Wonderful!

So, let’s say Nike decided to sue the anonymous Secret user who leaked news of the company’s impeding layoffs. Maybe the leak tanked the company's stock price. Or maybe the company wanted to punish the leaker for violating her/his non-disclosure agreement. Whatever Nike's reasons, it wouldn't matter. Because there’d be no way for the courts to compel Secret to reveal the person's identity -- right?



Per the site's privacy policy:

…if a court asks us to disclose your identity, we may be compelled to do so...

We have taken great effort to build strong security and encryption architecture to keep your Posts completely anonymized. While it is difficult to access, it is still technically possible for us to connect your Posts with your email address, phone number, or other personal data you have provided to us. Email address? Phone number? Other personal data? Hell, if Secret is keeping info like this, the company might as well have your drivers license and social security number. Not only is the app not anonymous, Secret knows exactly who you are.

But Secret says there’s nothing to worry about, and makes a big show in their privacy policy of just how hard it supposedly is to connect a user's identity to their posts:

While it is necessary for our system to maintain a link between the Posts you submit and your user account information (so we can let you know when your Post receives comments, hearts or other activity), it is intentionally difficult for us to ever discovery that link. Access to a poster’s identity is protected by a two man lock-out system that requires two of our employees – currently our two founders – to simultaneously request access to that information.
Damn! A "two man lock-out system!" That’s some nuclear space age technology! Like those air force guys sitting in a nuclear missile silo deep below some cornfield in Iowa and who have to enter secret launch codes and turn their keys at exactly the same time. Sounds safe.

It isn't.

Requiring two employees to access data might protect the data from unauthorized access from within the company. But as ACLU attorney Chris Conley told me, even with such a barrier erected between user information and their posts, it does not change the fact that law enforcement or a court can easily get at the information."Just because [a secret] does not have my name directly tied to it, it doesn’t mean a whole lot if it only takes two or three straight forward steps to get there."

Here's the truth: Whether for law enforcement or private litigants, the legal barrier for access to Secret's information is much lower than we think — all thanks to what's known as the "third-party doctrine."

"This is being fought out in the courts, but in many cases, courts have said that a court order is good enough, that we don’t need a search warrant," says Conley, who works the technology and civil liberties beat at ACLU's Northern California chapter. "A court order without probable cause or even a subpoena may be enough for law enforcement or for a civil litigant to demand records. "

Conley went on to say that anonymous app companies need to make sure their backend data practices line up with the advertised purpose of their product: "They need to think through their own process. If you are offering a service that is about providing anonymous communication, then if you are retaining their identity and tying it to their communication, then you are kind of undermining the whole purpose of your service.”

Secret allows users to unlink their account from posts they had made in the past, a feature that it claims will make them "entirely untraceable." But that's hard to believe considering that Secret "may retain certain information as required by law or for legitimate business purposes" — like backups, which may also be made independently by Google — with whom Secret's app engine is hosted.

But if Secret really cares about anonymity, why maintain the connection between a user's identity and their posts in the first place? Why not kill the link immediately and by default?

Secret says they do it for the benefit of the user: "so we can let you know when your Post receives comments, hearts or other activity." Yes, what good is anonymity without hearts? It's all about the hearts.

The real answer is probably even more banal: it's about making money. I asked Secret if the company currently profiles its users or works with third-party companies to serve ads or provide other services. The company's answer was terse and not very reassuring: "currently no."

(That reminds me of when Sergey Brin said, after launching Gmail, that they didn't combine users' search logs with their Gmail profiles, but refused to promise that Google wouldn't do so in the future.)

At South by Southwest Secret's co-founder Byttow described the app as a “masquerade ball," a place where “you know who is there and who is on the list, but no one can see faces.” No one, that is, but Secret and its future advertising partners.
The deeper you get into Secret’s privacy policy, the clearer it gets: the whole anonymity thing is only GUI-skin deep and leaves a whole lotta legal room for Secret to collect massive amounts of identifiable private information on the backend.
Here's some of the stuff Secret collects on its "anonymous" users (emphasis mine):
  • Log Information: We log information about your use of the Service, including the type of browser you use, access times, pages viewed, your IP address and the page you visited before navigating to our Service.
  • Device Information: We collect information about the mobile device you use to access our Service, including the hardware model, operating system and version, unique device identifiers and mobile network information.
  • Location Information: We may collect information about the location of your device each time you access or use one of our mobile applications or otherwise consent to the collection of this information.
  • Information Collected by Cookies and Other Tracking Technologies: We use various technologies to collect information, and this may include sending cookies to your computer or mobile device. Cookies are small data files stored on your hard drive or in device memory that help us to improve our Service and your experience, see which areas and features of our Service are popular and count visits. We may also collect information using web beacons (also known as “tracking pixels”).
Geo location, IP address, phone number, unique device identifiers — just one or two of these points of data can be used to quickly establish users identity. All of them together... let's just say that, with minimal effort and the use of basic third-party data broker services, Secret could reverse engineer your identity, your age, your ethnicity, estimated income level.

And why not? That's what every other Silicon Valley megacorp does — including, of course, the Secret founders' old employers at Google.

Update: Secret’s media rep insists that the app's unlinking feature does destroy connections between posts and user information. "Unlinking means the posts are completely unlinked. We make this very clear in our policy and your statement is wrong.” Also, an earlier version of this article stated that users don’t need to create an account in order to use Secret. They do.

Update II: Secret co-founder David Byttow got in touch by email to say that his app collects IP addresses and unique device IDs for debugging purposes only, and that this data is never connected to users’ personal info. "IP addresses and device id's are stored in logs without a link to user id, email, phone number etc, which are recycled every 24-72 hours… Email address and phone number is stored in permanent storage, encrypted. The two are not joinable,” he wrote. 

Want to know more? Read Pando's coverage of Surveillance Valley...

[Illustration by Brad Jonas for Pando]