Last November, Snapchat, the then 2-year old developer of a popular mobile messaging app,
spurned a purchase offer from Facebook that had valued the firm with no revenues
at $3bn, is now facing a reality that a key aspect of its business model has
been undermined and it faces 20 years of audits of its privacy obligations by a
US federal agency.
It had claimed that images and messages would
self-destruct in 10 seconds, making the feature a very popular one among teens -
- eager to avoid parental control.
On Thursday it was disclosed that Snapchat had agreed to settle
US Federal Trade Commission charges that it deceived consumers with
promises about the disappearing nature of messages sent through the service.
The FTC case also alleged that the company deceived consumers over the amount
of personal data it collected and the security measures taken to protect that
data from misuse and unauthorized disclosure. In fact, the case alleges,
Snapchat’s failure to secure its Find Friends feature resulted in a security
breach that enabled attackers to compile a database of 4.6m Snapchat
usernames and phone numbers.
According to the FTC’s complaint, Snapchat made multiple misrepresentations to
consumers about its product that stood in stark contrast to how the app
“If a company markets privacy and security as key selling points in pitching its
service to consumers, it is critical that it keep those promises,”
said FTC chairwoman Edith Ramirez. “Any company that makes misrepresentations to
consumers about its privacy and security practices risks FTC action.”
Touting the “ephemeral” nature of “snaps,” the term used to describe photo and
video messages sent via the app, Snapchat marketed the app’s central feature as
the user’s ability to send snaps that would “disappear forever" after the
sender-designated time period expired. Despite Snapchat’s claims, the complaint
describes several simple ways that recipients could save snaps indefinitely.
Consumers can, for example, use third-party apps to log into the Snapchat
service, according to the complaint. Because the service’s deletion feature
only functions in the official Snapchat app, recipients can use these widely
available third-party apps to view and save snaps indefinitely. Indeed, such
third-party apps have been downloaded millions of times. Despite a security
researcher warning the company about this possibility, the complaint alleges,
Snapchat continued to misrepresent that the sender controls how long a recipient
can view a snap.
In addition, the
That Snapchat stored video snaps unencrypted on the recipient’s device in a
location outside the app’s “sandbox,” meaning that the videos remained
accessible to recipients who simply connected their device to a computer and
accessed the video messages through the device’s file directory.
That Snapchat deceptively told its users that the sender would be notified
if a recipient took a screenshot of a snap. In fact, any recipient with an
Apple device that has an operating system pre-dating iOS 7 can use a simple
method to evade the app’s screenshot detection, and the app will not notify
That the company misrepresented its data collection practices. Snapchat
transmitted geolocation information from users of its Android app, despite
The complaint also alleges that Snapchat collected iOS users’
(iOS is Apple's operating system) contacts
information from their address books without notice or consent. During
registration, the app prompted users to, “Enter your mobile number to find your
collected the user’s email, phone number, and Facebook ID for the purpose of
finding friends. Despite these representations, when iOS users entered their
phone number to find friends, Snapchat also collected the names and phone
numbers of all the contacts in their mobile device address books. Snapchat
continued to collect this information without notifying or obtaining users’
consent until Apple modified its operating system to provide such notice with
the introduction of iOS 6.
Finally, the FTC
alleges that despite the company’s claims about taking reasonable security
steps, Snapchat failed to secure its “Find Friends” feature.
For example, the complaint alleges that numerous consumers complained that they
had sent snaps to someone under the false impression that they were
communicating with a friend. In fact, because Snapchat failed to verify users’
phone numbers during registration, these consumers were actually sending their
personal snaps to complete strangers who had registered with phone numbers that
did not belong to them.
Moreover as noted above, the complaint alleges that Snapchat’s failure to secure
its Find Friends feature resulted in a security breach permitting attackers to
compile a database of 4.6m Snapchat usernames and phone numbers.
According to the FTC, the exposure of this information could lead to costly
spam, phishing, and other unsolicited communications.
The FTC said that the settlement with Snapchat is part of
its ongoing effort to
that companies market their apps truthfully and
keep their privacy promises to consumers. Under the terms of its
with the FTC, Snapchat will be prohibited from
misrepresenting the extent to which it maintains the privacy, security, or
confidentiality of users’ information. In addition, the company will be
required to implement a comprehensive privacy program that will be monitored by
an independent privacy professional for the next 20 years.
This case is part of a multi-national enforcement sweep on mobile app privacy by
members of the
Privacy Enforcement Network
a cross-border coalition of privacy enforcement authorities. The case is also
coordinated with the Asia Pacific Privacy Priorities forum’s Privacy
The FTC said it will publish a description of the consent agreement package in the
near future. The agreement will be subject to public comment for 30
days, beginning today and continuing through June 9, 2014, after which the
Commission will decide whether to make the proposed consent order final.
Interested parties can submit written comments electronically or in paper form
by following the instructions in the “Invitation To Comment” part of the
“Supplementary Information” section. Comments in electronic form
be submitted online.
Snapchat said in
a blog post: "When we
started building Snapchat, we were focused on developing a unique, fast, and fun
way to communicate with photos. We learned a lot during those early days. One of
the ways we learned was by making mistakes, acknowledging them, and fixing
The Wall Street Journal says: "Its
disappear permanently. It says they will disappear from the screen
and be deleted from the company's servers. It cautions that other users could
preserve the messages by taking screenshots."