Snapchat can no longer legally claim that photos sent over its service are "ephemeral," "disappear forever" and "aren't saved," after a settlement with the Federal Trade Commission today (May 8).
The FTC argued that Snapchat was "deceiving customers" because Snapchat users have a number of ways to save these messages, such as opening Snapchat messages in third-party apps. Additionally, the FTC complaint accused Snapchat of misleading users about how much personal data it collects and how securely it stores that data. Rather than go to court, Snapchat agreed to settle the charges.
As part of the terms of the settlement, Snapchat must implement a "comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years," the FTC wrote in a blog post.
Snapchat is a private messaging app for sending photos that are supposed to disappear automatically after a certain amount of time. The idea is that Alice could send Bob a photo and feel secure that there was no way Bob could save the photo or share it with other people, or that anyone else could accidentally find the photo that was meant only for Bob.
The official FTC complaint pointed out that, from October 2012 to October 2013, the "FAQ" page on Snapchat's website read: "Is there any way to view an image after the time has expired? No, snaps disappear after the timer runs out."
However, it's not hard to prevent these messages from disappearing, or to make then "reappear" again. For example, Snapchat does not store video messages in the app's "sandbox," or isolated storage area on the smartphone to which the app is installed. That means users can connect their devices to a PC and easily navigate through the device's storage folders to locate and transfer the video.
Further, Snapchat allows other applications to connect to its service via an application programming interface (API). As the proton packs in "Ghostbusters" can catch ghosts, these third-party apps give users the means to save photo and video messages.
"As early as June 2012, a security researcher warned Snapchat that it would be 'pretty easy to write a tool to download and save the images a user receives' due to the way the API functions," the FTC's complaint reads.
Failure to staunch
The FTC's complaint also accuses Snapchat of several security failures, and argues that these oversights led to a data breach last December in which 4.6 million Snapchat user accounts and cell phone numbers were leaked onto the Internet.
Part of the issue was that Snapchat required new users to enter a mobile phone number to be associated with their Snapchat accounts, but didn't verify that the number entered was the same as the number associated with the device on which the app was installed. This led to people creating "fake" Snapchat accounts using other people's phone numbers.
Further, via its "Find Friends" feature, Snapchat also scanned users' address books stored on their phones, and uploaded those contacts to Snapchat's servers. It then used this data to show users which of their friends also used Snapchat.
But Snapchat did not place a limit on the number of Find Friend requests that any one account can make. The attackers in the 2013 data breach used both these vulnerabilities: They created Snapchat accounts using randomly generated phone numbers, then used those accounts to send Find Friends requests, compiling the 4.6 million user accounts and cell numbers.
"The exposure of usernames and mobile phone numbers could lead to costly spam, phishing, and other unsolicited communications," the FTC wrote in its complaint.