It turns out Whisper — the social networking app that lets users post messages to the service anonymously — may have been tracking its users' locations, sometimes even after the users opted out of the service's geolocation features.

That information has occasionally been shared with the U.S. government, including agencies such as the Pentagon, using a lower legal standard than is commonly used by other tech companies, according to an in-depth report by The Guardian.

Reporters from The Guardian recently visited Whisper's headquarters in Los Angeles. What they discovered over the course of three days showed that Whisper not only kept tabs on accounts it deemed interesting — "military personnel," a "sex-obsessed lobbyist," and political staffers, to name a few — but that it retained that information for far longer than its Web site suggested.

Whisper reportedly told The Guardian it "occasionally" uses user IP addresses but does not store usernames, phone numbers or personally identifiable information. Speaking to my colleague Tim Herrera, Whisper editor-in-chief Neetzan Zimmerman called the Guardian report a "pack of vicious lies." In a statement, Whisper spokeswoman Tracy Akselrud said the company is not sharing "specific user data with any organization" but was working with the Defense Department on a study about post-traumatic stress disorder.

When a user opted out of the geolocation tracking feature, which allows users to see Whisper posts that are "nearby," Whisper was still able to collect rough location data on a case-by-case basis from certain users' phones, according to The Guardian. When Whisper found out that The Guardian was preparing its story for publication, the company reportedly rewrote its terms of service to allow the collection of general geolocation data even when users have turned off the feature.

One question moving forward is whether revising its terms of service is enough to protect Whisper from an inquiry by the Federal Trade Commission, which can pursue companies that engage in "unfair or deceptive" acts and practices.

"The FTC has been clear that consumer expectations will govern in determining whether acts or practices are seen as deceptive," said Woodrow Hartzog, a privacy lawyer at the University of Notre Dame. "This includes not just the representations made as part of the terms of use, but also representations made while user interacting with the software and possibly even marketing statements and representations made by executives in interviews with the media."

The FTC has previously gone after Snapchat for allegedly misrepresenting its privacy practices to consumers. And this week, Snapchat users were dealt another blow when a third-party app designed to save Snapchat images admitted it was hacked, leaking a vast number of sensitive photos.

All this is a reminder that apps that claim to protect your privacy are rarely as secure or "secret" as they seem. Speaking of which, I've asked Secret whether they, too, collect user data in similar ways. In response, Secret chief executive David Byttow said the service collects geolocation data for users who opt in to its "nearby secrets" feature, which is turned off by default. No more than one location is stored at any time, he said in a statement.

"As a result, we simply do not have a location history for each user," said Byttow, who added that Secret does not share data with the government "systematically" but provides data in response to law enforcement subpoenas or warrants.