Snapchat, the developer of a popular mobile messaging app, settled Federal Trade Commission (FTC) charges that its promises of “disappearing messages” were false and that it transmitted users’ locations and collected their address books without providing notice to users or obtaining their consent.
According to the FTC’s complaint, Snapchat’s mobile application allows consumers to send and receive photo and video messages known as “snaps.” The FTC noted that, before sending a snap, the application requires the sender to designate a period of time that the recipient will be allowed to view the snap, and that Snapchat marketed its application as a service for sending “disappearing” photo and video messages, declaring that the message sender “control[s] how long your friends can view your message.”
Despite Snapchat’s claims, the FTC contended that several methods exist by which a recipient can use tools outside of the application to save both photo and video messages, allowing the recipient to access and view the photos or videos indefinitely. For example, when a recipient receives a video message, the application stores the video file in a location outside of the application’s “sandbox” (i.e., the application’s private storage area on the device that other applications cannot access). According to the FTC, until October 2013, a recipient could connect his or her mobile device to a computer and use simple file browsing tools to locate and save the video file. Although this method for saving video files was widely publicized as early as December 2012, the FTC contended that Snapchat did not mitigate this flaw until October 2013.
The FTC also asserted that third-party developers built applications – which were downloaded millions of times – that could connect to Snapchat’s application programming interface (API), thereby allowing recipients to log into the Snapchat service without using the official Snapchat application. The problem with this, the FTC contended, was that because the timer and related “deletion” functionality were dependent on the recipient’s use of the official Snapchat application, recipients could instead simply use a third-party application to download and save both photo and video messages. The FTC claimed further that, in addition to these methods, a recipient could use the mobile device’s screenshot capability to capture an image of a snap while it appears on the device screen, and that recipients could “easily circumvent” Snapchat’s screenshot detection mechanism.
Finally, the FTC’s complaint alleged that Snapchat’s failure to secure its “Find Friends” feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
Under the terms of its proposed consent agreement with the FTC, Snapchat is prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information, including, but not limited to:
- The extent to which a message is deleted after being viewed by the recipient;
- The extent to which Snapchat or its products or services are capable of detecting or notifying the sender when a recipient has captured a screenshot of, or otherwise saved, a message;
- The categories of personal user information Snapchat collects; or
- The steps Snapchat takes to protect against misuse or unauthorized disclosure of personal user information.
In addition, Snapchat must implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
The bottom line