Anonymously spilling personal gossip and corporate secrets online is all fun and games–until someone gets a subpoena.

Startups like Secret and Whisper have defined a buzzy new category of social media, attracting millions of users and tens of millions of dollars in venture capital investments with the promise of allowing anyone to communicate with anonymity. But when it comes to actually revealing corporate and government secrets–a "whistleblowing" function that the two services either implicitly or explicitly condone–users should read the fine print.

>When it comes to actually revealing corporate and government secrets on these apps, users should read the fine print.

For all their vaunted anonymity, both companies collect enough information to easily identify their secret-sharers, and both have exceptions written into their terms of service that allow them to rat out their private users at the first whiff of legal controversy.

Legal and security experts who reviewed those terms of service for WIRED say that broad exceptions in their anonymity protections make the companies' services legal scandals waiting to happen at best. And at worst, they're a trap for anyone who uses them to spill secrets that violate an NDA or a security clearance. "They say you can use this app to tell the world whatever you want to anonymously, but when you start reading the privacy policy, you realize it's not all that anonymous," says Runa Sandvik, staff technologist at the Center for Democracy and Technology and a former developer for the anonymity software Tor. "As soon as law enforcements asks, they’ll turn over information about who said what and when."

The Big Caveat

In the second paragraph of the Whisper's privacy policy, for instance, the company reserves the right to reveal everything it knows about a user in a range of situations that seem to include a law enforcement investigation, a subpoena in a civil lawsuit, or simply an accusation of "wrongdoing" on the service. "WhisperText may preserve any transmittal or communication by you through the Service, or any service offered through the Service, and may disclose that information if legally required to do so or if WhisperText determines that the disclosure is reasonably necessary to enforce these Terms or to protect any rights hereunder or to respond to claims of wrongdoing by others," the policy says.

Secret offers a similar caveat in its privacy policy, warning that it will share information about its users "in response to a request for information if we believe disclosure is in accordance with any applicable law, regulation or legal process, or as otherwise required by any applicable law, rule or regulation."

>'This means that if a court asks us to disclose your identity, we may be compelled to do so.'

Later in the policy, the company explains "How We Respond to Subpoenas from Courts," an even stronger red flag. "We have taken great effort to build strong security and encryption architecture to keep your Posts completely anonymized," the policy says. "While it is difficult to access, it is still technically possible for us to connect your Posts with your email address, phone number, or other personal data you have provided to us. This means that if a court asks us to disclose your identity, we may be compelled to do so."

To be fair, both services don't have much choice in the matter: In many cases, they're legally compelled to comply with search warrants and subpoenas, says Hanni Fakhoury, an attorney with the Electronic Frontier Foundation. But "it's the doublespeak that's problematic," Fakhoury adds. "You have to be very careful about selling a program as a secure way to secretly communicate, and then reserve the right to turn over that information whenever necessary."

Whisper and Secret could simply not collect users' identifying information in the first place. But while neither service actually requires a user to share his name or telephone number upon registration, both say they collect other information from users, such as unique device identifiers for mobile phones, IP addresses, browser cookies, the user's internet service provider, and plenty of other data that can be used to finger a secret-spiller. Secret even admits in its privacy policy that its website ignores the advertising industry's "do not track" option built into browsers.

Calling All Whistleblowers

Apps like Whisper and Secret still don't seem to have entirely figured out their intended usecase, and the notion that anyone would share real secrets on the services may seem farfetched. But at a panel discussion last week at TechCrunch Disrupt, Whisper CEO Michael Heyward described the company's efforts to give a voice to exactly that sort of whistleblower, describing someone who "comes on to the service and says I work at the NSA and your president is abusing his constitutional powers and illegally reading your emails and listening to your phone calls."

>'It seems to be in the public good for the information to be shared.'

Minutes later, Whisper investor Roelof Botha echoed that invitation to government and corporate secret-leakers, saying that one of Whisper's functions is "enabling grassroots whistleblowing, and some of that is really important for society."

"It might be an abuse taking place at a company, a church, or a military base," said Botha. "When there’s a public figure and the company can vet that the information is true, it seems to be in the public good for the information to be shared."

In an interview following the TechCrunch panel, Whisper's Heyward told WIRED that Whisper only "proactively" reports information about users to law enforcement when a minor is at risk. But when it comes to whistleblowers, he reiterated the company's terms of service: "This is not a place to come break the law. We’re not proponents of harboring criminals."

The company didn't respond to requests for further comments on criticisms of its terms of service and privacy policy. In a statement, Secret CEO David Byttow writes that "we've built our Terms of Service and Privacy Policy to ensure the safety and privacy of every user and the broader Secret community, ensuring that every user understands that Secret is not a place to engage in any unlawful activity."

Corporate Secrets Revealed

Secret has been more careful not to publicly advocate whistleblowing by its users. But that hasn't stopped those users from sharing plenty of sensitive corporate secrets, including the resignation of Google exec Vic Gundotra before it was announced, Google's layoff of a female executive after acquiring her company and hiring four of her male staffers, and news that Nike would be shuttering its Fuelband business, a rumor that turned out to be false.

For users who do need to anonymously leak sensitive secrets in the public interest, there exist far more secure outlets. In the wake of WikiLeaks, software like SecureDrop and Globaleaks lets any news site or non-profit host an anonymous leak submissions system that uses strong encryption and the anonymity software Tor to completely hide users' identities such that even the recipients of the leak can't identify them. News outlets from the New Yorker to Pierre Omidyar's investigative news startup First Look Media have all implemented SecureDrop to elicit WikiLeaks-style bombshells.

For career- and life-threatening leaks, whistleblowers should stick with those services that truly protect their anonymity. Whisper and Secret are best left to those confessing their theft of office supplies.

Additional reporting by Issie Lapowsky