Snapchat has finally agreed to settle with the Federal Trade Commission (FTC) over allegations that it was deceiving customers by collecting their user information without permission. Snapchat is one of many tech start-ups promising a degree of privacy or anonymity to its users.
Snapchat, a mobile messaging app, promises users that photos and videos will disappear forever, after they are sent, thus insuring privacy and safeguarding against data collection. According to the FTC, the company “made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked.”
The FTC said that the messages, or “snaps,” could be saved in several ways. For instance, users could save messages by using a third-party app, or employ simple workarounds that allow users to take a screenshot of messages without detection.
According to the FTC, Snapchat also transmitted users’ location information and collected sensitive data, such as address book contacts, despite claiming that it didn’t collect such information. The commission also said that the policies allowed security researchers to compile a database of 4.6 million user names and phone numbers during a recent security breach.
The FTC commented:
“Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.”
In response, Snapchat stated on May 8:
Snapchat warns users about potential data collection in its privacy statement:
“There may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted. You should not use Snapchat to send messages if you want to be certain that the recipient cannot keep a copy.”
However, this didn’t seem to be enough. Back in January, a hacker published a database containing over 4 million Snapchat user names and phone numbers, a very public leak of sensitive information. The hacker went by the name of “Lightcontact” and first posted the database on Reddit and another website called SnapchatDB.info. The site has since been taken down, but not before data quickly circulated around the web, with programmers building web tools, for instance GS Lookup and Snapcheck, to help Snapchat users see if their own user names or phone numbers had been compromised.
Back in August 2013, Snapchat was warned in a Gibson Security report that its data were vulnerable. The report went ignored by the company, and no further security investments were made to address the issues revealed in the report.
According to Robbie Trencheny, an app developer who put together the tool hosted on the GS Lookup page, “It just doesn’t seem to take a lot to figure out how to bypass the protections they have in place.”
According to consumer privacy expert Bob Sullivan, things aren’t as dire as that:
“These aren’t credit card numbers and these aren’t social security numbers – they’re phone numbers. What’s the worst case scenario? Someone you don’t want to have your number has your number. This is far from ideal, but not the worst thing that could happen.”
The FTC’s complaint couldn’t really have come at a worse time for Snapchat. Just last year, the company turned down a multibillion-dollar buyout offer from Facebook. Snapchat, based in Los Angeles, is run by Evan Spiegel and Bobby Murphy, who first released the service in 2011. It quickly gained a following among high school students in Southern California and recently has become one of the most sought-after businesses in the tech industry, gaining attention from various venture capital firms in Silicon Valley as well as tech giants like Facebook and Google.
While the company doesn’t say exactly how many people are using its service, it does send over 700 million messages between users daily.
On Thursday, May 8, 2014, Snapchat, a mobile messaging app, settled with the FTC over allegations that it deceived customers by collecting user information without permission. This case and the resulting settlement reflect the FTC’s continuing investigative effort to hold tech companies accountable to their marketing claims and privacy assurances.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) a privacy professional should be comfortable with topics related to this post, including:
- Purposes and uses of PII (I.C.c.)
- Privacy Expectations (III.A.)