You're not anonymous on Looped

tl;dr: Looped knows who you are, and so does anyone who cares to look. Avoid using it unless you understand the risks to your privacy. Read the conclusions.

A Yik Yak clone called Looped has launched on my college’s campus, and its primary draw is its anonymous forum. This post will investigate the internals of the Looped app and communication protocol, and demonstrate how one can trivially unmask anonymous posts made on the app.

Network protocol

Looped uses the WebSockets protocol, which enables two-way communication between the app and Looped’s backend servers – this allows the app to send and receive posts in real time.

When the app starts, it initiates a connection to /socket.io and from then on, all communications take place over the WebSocket.

By using freely available tools like Burp Suite, we can intercept and examine the data being exchanged in order to find out how Looped works.

User IDs

getFeed response data

Data used to construct the main feed for a channel

The app receives data via the WebSocket to construct the main feed. Note that each post has a creatorId associated with it. This is the ID number of the user who posted it. It is invisible, unique, and cannot be changed. We can use this information to correlate which anonymous posts and comments were posted by the same person.

For example, we can tell that both parts of this joke were posted by the same person because both comments have the same creatorId:

Wtf I can't believe after all that shit, they're back together / Who? / MY ASS CHEEKS LMFAOO
Comment data showing identical creatorIds

Associating IDs with users

When you create a new channel, Looped displays a list of every account on campus:

List of people to invite, including Looped co-founder Felix Madutsa

The internal data behind this list contains each user’s full name, profile picture, handle, and crucially, their creatorId:

Data showing full name and user ID

With the data from this list, we effectively have a “phonebook” that associates each creatorId with its corresponding profile information. Therefore, we can link anonymous posts to names/handles, so anonymous channels on Looped are no more anonymous than its public channels.

Many Swarthmore students entered pseudonyms for their full names and handles. Plenty of others didn’t.

A detour: deleted comments

Looped moderators can censor comments which they deem inappropriate. In the app, they appear like this:

this comment has been deleted

But if we look at the data behind the scenes, the comment is still there, and it simply says “sex.” It’s just marked as hidden by changing its postState value from 0 (normal comment) to 2 (deleted).

The contents of the deleted post, which says 'sex'

Conclusions

Looped knows exactly who posts what – every anonymous post is linked to an account, and every account has a phone number/Snapchat and college email address linked to it.

Looped leaks data like a sieve, and it’s easy for a third party to associate an anonymous post with the full name, handle, and profile picture of the account that posted it. Maybe they use pseudonyms. It doesn’t matter.

Even with just id numbers and pseudonyms, it is possible to correlate which posts and comments belong to the same accounts, and identify patterns in behavior. Every post betrays information through things like time of day, subject matter, word choice, and writing style.

The ability to correlate posts using a consistent creatorId kills forward anonymity. If someone ever links even a single post with your identity (for example: if Looped suffers a data breach, if Looped gets subpoenaed, if you slip up and post something identifying, or if a friend identifies a post you made), then all of your previous posts are effectively open as well. And this can happen at any time – years or even decades later, even if Looped shuts down. All someone needs to do is save the receipts. You will remain anonymous if and only if you can guarantee that neither you nor Looped makes a mistake at any point in the future. I don’t trust you because you’re human. I don’t trust Looped because they’ve already shown themselves to be incompetent.

Check out part 2: You’re still not anonymous on Looped.

Harm reduction

I don’t use Looped. I don’t recommend Looped. I will stick to scratching messages in the desks at the library. But if you wish to continue using Looped, you can take some steps to protect yourself.

  • Change your name, handle, and profile picture.
  • Be mindful of what you post on Looped. Your posts are linked.
  • Don’t be stupid. Don’t attract the police.
  • Consider what you have already posted. If someone can identify you based on your past activity on Looped, stop posting. Make a new account.
  • Post disinformation to gain back a few bits of anonymity.

And remember, Looped knows who you are. These steps can only help protect you from fellow students.

FAQ

Will you tell me who posted X? no