Snapchat is a wildly popular app for Androids and iDevices that allows you to share photos with your friends.
Snapchat replaces more pedestrian ways of sharing photos, such as sending them by email.
The app enables you - indeed, it pretty much encourages you - to share snapshots you would probably be wiser to keep to yourself, or better yet not to take in the first place (my emphasis below):
Snapchat is a new way to share moments with friends. Snap an ugly selfie or a video, add a caption, and send it to a friend (or maybe a few). They'll receive it, laugh, and then the snap disappears.
The image might be a little grainy, and you may not look your best, but that's the point. It's about the moment, a connection between friends, and not just a pretty picture.
The allure of fleeting messages reminds us about the beauty of friendship - we don't need a reason to stay in touch.
Give it a try, share a moment, and enjoy the lightness of being!
Clearly, Snapchat's primary feature, if not its raison d'etre, is "managed risk".
You can live a bit recklessly, Snapchat seems to be saying, because the snap disappears after your friends have looked at it.
In fact, the app description on Google's Play Store goes one step further, promising disappearance for all eternity:
Snapchat is the fastest way to share a moment with friends.
You control how long your friends can view your message - simply set the timer up to ten seconds and send.
They'll have that long to view your message and then it disappears forever.
We'll let you know if they take a screenshot!
As fellow Naked Security writer Graham Cluley asked late last year, early on in Snapchat's short history, "How do you reconcile 'dispappears forever' with 'if they take a screenshot'?"
After all, if the screenshot warning ever does come up (assuming the screenshot detector does its job), the one thing you can be sure of is that the image has not disappeared forever, or even at all.
That's because the screenshot function creates a new image, not managed by the Snapchat application, and saves it where your friend is in complete control of it, rather than you or Snapchat.
So "disappears forever" is something of a bogus concept to start with.
But just how meaningful is Snapchat's promise if you completely ignore the screenshot problem, or the taking-a-picture-of-the-screen-with-another-camera problem?
US-based computer forensics geek Richard Hickman thought he'd find out.
Be prepared to laugh (or cry - it's not really funny): according to Hickman, "expired" Snapchat photos don't disappear at all!
He grabbed a forensic image of a phone running Snapchat, found a directory called received_image_snaps and looked in it.
Both unviewed and expired images were still there.
If Hickman's analysis is correct (and it certainly seems to be), Snapchat relies on two steps to make your images "disappear":
- It adds the extension .nomedia to the filenames, which is a standard Android marker that says, "Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me."
- It adds a record to its own database to say, "The following image should be treated as though it doesn't exist. Leave it to me, and I will pretend it has disappeared forever."
Just as egregiously, Snapchat doesn't even come close to guaranteeing that your images get deleted from its own servers once they've been delivered:
When you send or receive messages using the Snapchat services, we temporarily process and store your images and videos in order to provide our services. Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient (and after a certain period of time if they don't open the message), we cannot guarantee that the message contents will be deleted in every case.
So when you share that "ugly selfie", where does it end up?
It's stored on your phone, but you'd expect that because you took it, so that's your lookout.
It's stored on Snapchat's servers, where it will probably be deleted once it's been delivered, but not in every case.
And it's stored on the recipients' phones, from where it apparently won't be deleted at all, though it will be marked "not for display," which seems to be synonymous in Snapchat's argot with "disappears forever".
What to do about this?
The obvious first step is to share snapshots only if you don't mind them hanging around forever.
The second step is to stop using Snapchat until these issues get fixed.
And the third is to write to the Snapchat guys and suggest that they could use cryptography and positive erasure to come much closer to fulfilling their promises, so you can start using their app again.
Here are some cryptographic tricks that Snapchat might consider:
- When user X signs up, generate a public/private key pair on his device and send the public key to the Snapchat servers.
- When storing an image for delivery to X, encrypt it with X's public key so it can't be decrypted unless and until X receives it on his device. That way, images implicitly 'disappear' from the Snapchat servers even before they are delivered.
- Encrypt each image delivered to X's device with a random key, and keep the key on the Snapchat server until X requests to view the image. That way, the key and the decrypted image only ever need to exist in memory on X's device, and thus implicitly 'disappear' once viewed.
- When 'disappearing' an image, positively erase (i.e. actively overwrite) the random key off the Snapchat servers. Without the key, the encrypted image becomes shredded cabbage.
- When 'disappearing' an image, positively erase the encrypted image file on X's device, just in case the key survived, for defence in depth.
- When uninstalling the app, positively erase X's private key. That way, as-yet unviewed images become shredded cabbage.
- Whenever X has no unexpired images left to view, positively erase X's private key and generate a new keypair as though starting a fresh install.
The bottom line?
Call me a killjoy, but don't share a selfie, ugly or not, or any other file, for that matter, unless you are willing to risk it being in circulation forever.
And if you're not willing to risk it being in circulation forever, consider not even taking it in the first place.