Snapchat settles FTC suit, admits guilt about security issues

Snapchat, the messaging service promising disappearing messages, has settled a complaint with the FTC. The complaint involved several inconsistencies the FCC said were occurring within Snapchat's service, running the gamut from the message service itself to the nature of information gathering Snapchat said it wasn't doing. The settlement closes a chapter in the Snapchat saga, but opens up a can of worms.

The crux of the complaint centerred around those "snaps" Snapchat said would delete forever from their server — which they do. The problem is, third-party apps often save the snaps, which the FTC counters doesn't exactly lend itself to Snapchat being "secure". Even worse, the FTC says Snapchat continued to tout their service as secure, even after being notified of this workaround by a security researcher. The claim also alleged the following:

  • That Snapchat stored video snaps unencrypted on the recipient's device in a location outside the app's "sandbox," meaning that the videos remained accessible to recipients who simply connected their device to a computer and accessed the video messages through the device's file directory.
  • That Snapchat deceptively told its users that the sender would be notified if a recipient took a screenshot of a snap. In fact, any recipient with an Apple device that has an operating system pre-dating iOS 7 can use a simple method to evade the app's screenshot detection, and the app will not notify the sender.
  • That the company misrepresented its data collection practices. Snapchat transmitted geolocation information from users of its Android app, despite saying in its privacy policy that it did not track or access such information.

Snapchat was also accused of collecting data, when it said it wasn't. Enter in your phone number to utilize the "Find Friends" feature, and the FTC says that "Snapchat's privacy policy claimed that the app only collected the user's email, phone number, and Facebook ID for the purpose of finding friends. Despite these representations, when iOS users entered their phone number to find friends, Snapchat also collected the names and phone numbers of all the contacts in their mobile device address books."

Snapchat's service also allowed people to communicate with random strangers who they believed were friends. The FTC found that because Snapchat failed to verify numbers on startup, people would send messages to people they didn't know, believing it was a friend when it was just someone who registered a random number. Their failure to secure the data also resulted in that massive breach that made headlines some time ago. They'll also be subject to independent security oversight for the next 20 years.

The settlement closes a chapter for Snapchat, and serves notice to companies about securing data. Ever defiant, Snapchat says in a blog post "Even before today's consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications. And we continue to invest heavily in security and countermeasures to prevent abuse." They may be rethinking those buyout offers right about now.

Source: FTC, Snapchat