Mobile messaging app developer Snapchat has agreed to settle Federal Trade Commission (FTC) charges that it deceived consumers with promises about the disappearing nature of messages sent through the service. The FTC case also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorised disclosure. In addition, the case alleges Snapchat's failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
According to the FTC's complaint, Snapchat made multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked. Boasting the "ephemeral" nature of "snaps," the term used to describe photo and video messages sent via the app, Snapchat marketed the app's central feature as the user's ability to send snaps that would "disappear forever" after the sender-designated time period expired. Despite Snapchat's claims, the complaint describes several ways that recipients could save snaps indefinitely.
Consumers can, for example use third-party apps to log into the Snapchat service, according to the complaint. Because the service's deletion feature only functions in the official Snapchat app, recipients can use these third-party apps to view and save snaps indefinitely. Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.
In addition, the complaint alleges that Snapchat stored video snaps unencrypted on the recipient's device in a location outside the app's "sandbox," meaning that the videos remained accessible to recipients who simply connected their device to a computer and accessed the video messages through the device's file directory. The FTC alleges that Snapchat deceptively told its users that the sender would be notified if a recipient took a screenshot of a snap. In fact, any recipient with an Apple device that has an operating system pre-dating iOS 7 can use a simple method to evade the app's screenshot detection, and the app will not notify the sender. It is also being alleged that the company misrepresented its data collection practices. Snapchat transmitted geolocation information from users of its Android app, despite saying in its privacy policy that it did not track or access such information.
The complaint also alleges that Snapchat collected iOS users' contacts information from their address books without notice or consent. During registration, the app prompted users to, "Enter your mobile number to find your friends on Snapchat!" Snapchat's privacy policy claimed that the app only collected the user's email, phone number and Facebook ID for the purpose of finding friends. Despite these representations, when iOS users entered their phone number to find friends, Snapchat also collected the names and phone numbers of all of the contacts in their mobile device address books. Snapchat continued to collect this information without notifying or obtaining users' consent until Apple modified its operating system to provide such notices with the introduction of iOS 6.
Finally, the FTC alleges that despite the company's claims about taking responsible security steps, Snapchat failed to secure its "Find Friends" feature. The Commission vote to accept the consent order for public comment was 5-0.
