Snapchat blurts out the S-word


Team Snapchat, as it calls itself, has finally used the S-word.

Over Christmas 2013, the selfie-sharing site was confronted with warnings that its “find a friend by phone number” service was open to abuse.

Snapchat wrote off the risk as “theoretical.”

We’ll assume that Snapchat didn’t mean to throw down the gauntlet with its choice of words, but that seems to have been the outcome.

By New Year 2014, the selfie-sharing site was confronted with an online data dump of 4,600,000 usernames and phone numbers, apparently acquired by means of this “theoretical” attack.

→ Fair enough, an attack can’t be possible in practice without also being possible in theory, so Snapchat’s claim was true. But the phrase “theoretical attack” is a loaded one, typically implying that the attack should be considered highly unlikely.

Clearly, the anti-data-scraping protection Snapchat claimed to have put in place hadn’t worked that well.

Nevertheless, the company’s curious response was to avoid apologising, suggesting instead that it had as good as closed the door on the attack through smart programming.

(Perhaps it meant that its preventative measures were merely “theoretical”?)

Honour, however, has now been restored, with Snapchat having recently issued a short statement that includes an apology:

This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #.

This update also requires new Snapchatters to verify their phone number before using the Find Friends service.

Our team continues to make improvements to the Snapchat service to prevent future attempts to abuse our API. We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.

From the announcement, it sounds as though you will have to enter a phone number – and verify it, presumably by replying to an SMS or emailing back a registration code – before you can look up other people by phone number.

That seems reasonable, as a way of making you accountable for what you subsequently do with the service.

What’s not so reasonable is that if you want your own number to be unsearchable, you have to remember to go and opt out. (Presumably, therefore, everyone is searchable at least briefly, because you can’t opt out until after you’ve handed over your number.)

Theoretically, at least, things really ought to be the other way around, where you subsequently opt in if you want your number to be found by others.

Of course, it would be a little unfair to pick on Snapchat over its choice of opt-out here.

Sadly, opt-out is the direction that online services prefer, at least where permitted by law, and the direction that we collectively seem to have accepted.