A mobile app that lets users send photo and video messages that recipients can look at for a moment before the content is, in effect, gone with the wind? Scarlett O’Hara could have declared her love for Rhett Butler (or Ashley Wilkes), confident that the message was ephemeral. Of course, residents of Tara didn’t have access to the popular app Snapchat, which claimed to do just that. But according to an FTC settlement, the company’s promise that Snapchat messages would “disappear forever” proved to be more fleeting than the messages themselves. What's more, the lawsuit alleges that Snapchat didn't give people the straight story about the information the app collected.
People use Snapchat every day to send millions of “snaps.” Before sending a photo or video, users can select the period of time – between 1 second and 10 seconds – in which the recipient can view the snap. According to the company, “They’ll have that long to view your message and then it disappears forever.” Between October 2012 and October 2013, Snapchat reinforced that claim with this statement in its FAQS:
Is there any way to view an image after the time has expired?
No, snaps disappear after the timer runs out.
But there was a big problem. Despite the company’s promise, there were several easy ways that recipients – even those who weren’t particularly tech-savvy – could save those messages. One simple method: When a recipient got a video message, Snapchat stored the file in a location outside of the app’s “sandbox,” the private storage area on the device that other apps can’t access. Because the file was in an unrestricted place, the recipient could connect their device to a computer and use simple browsing tools to locate and save the video. That method was widely publicized as early as December 2012, but the FTC says Snapchat didn’t fix the flaw until almost a year later when it began encrypting video files sent through the app.
That wasn’t the only easy way to save snaps. Other developers began to offer apps that could connect to Snapchat’s application programming interface – API. That let recipients log into Snapchat without using the company’s app, bypassing the timer and deletion functions altogether. According to the FTC, that didn't come as a surprise to Snapchat. As early as June 2012, a security researcher warned the company that because of how the app’s API operated, it would be “pretty easy to write a tool to download and save the images a user receives.” By spring 2013, apps like that were readily available – and very popular – on the iTunes App Store and Google Play.
The FTC says there was another problem with what Snapchat said about its app. It’s easy to take a screenshot to capture an image, including a snap during that brief period when it’s visible. So Snapchat told users “We’ll let you know if [the recipient] takes a screenshot!” But according to the complaint, there was a simple work-around to avoid this. On earlier versions of iOS, all the recipient had to do was double-click the device’s Home button to take a screenshot without the sender being notified. So much for “We’ll let you know . . .”
Another part of the FTC’s case addresses allegedly false statements Snapchat made about what it did with personal information. For example, between June 2011 and February 2013, the company told users “We do not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application.” But in October 2012, Snapchat added an analytics tracking service to the Android version of its app that collected geolocation information. While the Android system provided notice to consumers that the app may access location data, Snapchat continued until February 2013 to tell people its app didn’t “ask for, track, or access any location-specific information” when, in fact, it was transmitting geolocation information to its analytics provider.
The FTC also charged that what Snapchat told consumers about its “Find Friends” feature was misleading. During registration, the app prompted people to “Enter your mobile number to find your friends on Snapchat!” The FTC says that suggested to users that the phone number was the only information Snapchat collected to find friends. In fact, when people used the feature, Snapchat collected the names and phone numbers of all contacts in the user’s address book. Users weren’t notified of this collection practice until later, when the iOS operating system was updated to provide notification when an app accessed the user’s address book.
In addition, the complaint alleges that Snapchat didn’t design its Find Friends feature with security in mind. For a 15-month period beginning in September 2011, Snapchat failed to verify if the phone number an iOS user entered into the app really belonged to that mobile device. As a result, a person could create an account – and thus send and receive snaps – using someone else’s phone number. Snapchat got an earful from some consumers who complained that accounts associated with their phone numbers had been used to send inappropriate or offensive snaps.
Furthermore, the FTC says Snapchat’s failure to secure its Find Friends feature resulted in a security breach that let attackers compile a database of 4.6 million Snapchat usernames and phone numbers.
You’ll want to read the complaint and proposed order for the details, including the provisions Snapchat has agreed to implement to settle the lawsuit. What tips can other companies take from this case?
- Keep your ears open when credible people raise concerns. Snapchat is hardly the first company to get an early heads-up from a security researcher about a privacy hole in their product. Certainly, the preferred scenario is if glitches are spotted before you go to market. But the next best thing is to monitor what people are saying about your product and act ASAP if flaws come to light.
- Think through how proposed changes affect the privacy promises you’ve already made. Snapchat told people it didn’t collect geolocation information, but later added an analytics tracking service that did just that. If you decide to modify your product or practices, remember that you’re not writing on a blank slate. Savvy app developers understand why it’s wiser to get users’ express consent before making material changes.
- Privacy promises aren’t just marketing talk. Whether it’s about what your app can do or your information collection practices, objective claims trigger federal truth-in-advertising standards. According to the FTC, Snapchat said that photos and videos would be gone with the wind, but didn’t live up to that promise. The message for companies: When it comes to deceptive claims about consumer privacy, frankly, my dear, we do give a damn.
You can file an online comment about the proposed settlement by June 9, 2014.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
- We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
- We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
- We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
- We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.