newsonaut


by Mark Rogers

May 7, 2014


Don't count on Secret for either truth or anonymity

Journalists have long relied on anonymous tips, so it’s not surprising that an app that allows people to anonymously reveal secrets would catch their attention.

An app called Secret, for iOS and Android devices, allows people to chat among friends without using a name, profile or any other information about themselves. One such faceless person tipped the world that Google+ chief Vic Gundotra was leaving the company. You can see the message here: “Vic Gundotra is interviewing.”

It turned out to be true and led to all kinds of speculation about whether Google+ — a social media competitor for Facebook — was in trouble or possibly being shut down.

On the other hand, another Secret message that caused a stir in the tech world was uncovered as a hoax — but not before days of speculation about the veracity of it. Here’s the message: “Apple’s new EarPods will have sensors in them, for heart rate and blood pressure. Also iBeacons so they don’t get lost. They will require the lightning port, it’s why the audio jack was moved to the bottom.”

(By the way, you can find these messages by searching Google with keywords such as “Apple EarPods secret” — it’s not necessary to use the app.)

MacRumors went so far as to dig up an old patent that appeared to support the message, complete with an illustration.

The anonymous poster now admits on tumblr that he made the whole thing up: “I was blurry eyed, I had a headache, I was using the toilet and worrying about my blood pressure.” (Of course, this post is also anonymous so, even though it appears heartfelt and real, it could also be fake — taking us further down the rabbit hole.)

Any legitimate journalist knows that anonymous tips — even those from trendy new apps — should be verified before they are reported. But the way things stand these days, it seems anyone can say anything on Secret and have it widely disseminated.

The status of Google+ and Apple EarPods are not really that important in the larger scheme of things, so spreading rumours about them could be passed off as harmless.

Still, it wouldn’t take much for someone to post a so-called secret that truly is hurtful to someone’s life. In that case, who would take responsibility? Would the developers of Secret get a pass even though, it could be argued, they are the publishers?

Also: How anonymous are Secret users? Do you really want to trust your identity with a startup called Secret, Inc? For one thing, they need your phone number and email address to connect you with friends.

David Byttow, co-founder of Secret, tells us in a piece he wrote for Medium that phone numbers are “hashed” before they go out to the servers.

But then he adds: “Important note: Although we salt the data, it is possible to match a phone number to a hash, especially if the salt is known to an attacker. We’re looking at ways to make this even more secure (e.g., by joining client-specific data pre-hash or Diffie-Hellman key exchange). If you have a suggestion, please let us know at security@secret.ly as this is an active area of research for us.”

Sounds reassuring if you have any idea what he’s talking about.

One other thing to consider is that the company is located in the United States, as we are reminded in their privacy statement.

“Secret is based in the United States and the information we collect is governed by U.S. law. By accessing or using the Service or otherwise providing information to us, you consent to the processing and transfer of information in and to the U.S. and other countries.”

With recent revelations about U.S. government snooping, and companies powerless to do anything about it, that alone should put a chill down the spine of anyone thinking of putting out a secret that actually counts for something.

In the end, it’s best to think of Secret as an app for idle gossip. Trusting it for anything more will get you into nothing but trouble.




by Mark Rogers © 2010-2018