Why not fuzz it on the device, before sending to the server?
Now that is a legitimate question. Although, fuzzing it on the server is better than not fuzzing it at all.
Why not just amend your Privacy Policy to state that data is only stored in the United States?
Actually Whisper did the opposite, amend their privacy policy so that data can be stored outside of the US, but their new ToS are not active yet.
I think, what he is saying is basically just: "We have content moderators in the Philippines. The Guardian is acting like we keep that secret, but here are 5 media articles where we talked about that ourselves. It is also not against our ToS. The provision that the Guardian is referencing is about servers.".
I must say, that it really looks like the Guardian article was somewhat sensationalist. Yes whisper is "tracking" it's users by sending location data to the server, but that is obvious since that is an integral part of the app.
> Actually Whisper did the opposite, amend their privacy policy so that data can be stored outside of the US
True, I neglected this. Guardian points out (perhaps too imprecisely) that they changed the ToS to include storing data in other countries, and their response is essentially, "Calm down, right now we're only in the US." They've obviously made a deliberate move to open the door to storing data somewhere other than the US, but expect everyone to be reassured that they haven't actually walked through the door yet. Like the server-side location fuzzing, it's an unverifiable promise of security/privacy, not actual security and privacy.
> their new ToS are not active yet.
How not? http://whisper.sh/privacy , dated 13 October, has the "other countries" clause, and says "Any changes become effective when we post them on the Site."
> that is obvious since that is an integral part of the app.
I have to admit, I'm also a bit surprised that this, of all privacy issues, is blowing up so much. Still, I support raising awareness of privacy, and I'm getting sketchy vibes from Whisper's damage control, so that I wonder if they have more to hide or something.
> How not? http://whisper.sh/privacy , dated 13 October, has the "other countries" clause, and says "Any changes become effective when we post them on the Site."
I don't know, I got my information from this Guardian article:
"These new terms, which were posted on Whisper’s website on 13 October, come into effect on 12 November."
Thanks. I guess this is based on "The new Terms will become effective thirty (30) days after we post the notice on our Site."[0] in the Terms, which also seem to incorporate the Privacy Policy I linked, which is stated to take effect immediately. I don't know which statement about effective date takes precedence (another sign of sketchiness/sloppiness?), but at least I know what you and the Guardian are talking about.
Now that is a legitimate question. Although, fuzzing it on the server is better than not fuzzing it at all.
Why not just amend your Privacy Policy to state that data is only stored in the United States?
Actually Whisper did the opposite, amend their privacy policy so that data can be stored outside of the US, but their new ToS are not active yet.
I think, what he is saying is basically just: "We have content moderators in the Philippines. The Guardian is acting like we keep that secret, but here are 5 media articles where we talked about that ourselves. It is also not against our ToS. The provision that the Guardian is referencing is about servers.".
I must say, that it really looks like the Guardian article was somewhat sensationalist. Yes whisper is "tracking" it's users by sending location data to the server, but that is obvious since that is an integral part of the app.