Sophos Cloud Optix
Snapchat and the US Federal Trade Commission (FTC) agreed to terms in a settlement over privacy complaints, including that the fast-growing mobile messaging service had “deceived users.”
According to a statement by the FTC, Snapchat made “multiple misrepresentations to consumers about its product that stood in stark contrast to how the app actually worked,” among a list of other complaints.
Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting user data privacy, and will be required to implement a comprehensive privacy program that will be monitored for the next 20 years.
The agreement is open for public comment until 9 June 2014, when the FTC will make its final decision. The five-member panel voted 5-0 to make the recommendation.
Snapchat wrote on its blog that it made “mistakes” in the early days of the company, but that is has “fixed” the problems that have plagued the company in recent months.
Let’s hope that Snapchat has learned its lesson, because the list of complaints against it is long.
The main concern of the FTC’s complaint against Snapchat was its false claim that user snaps (photos and videos taken of the user using the app) would “disappear forever.”
A security bungle in December 2013 led to a data breach of 4.6 million of Snapchat users’ names and phone numbers, which also got the FTC and the US Congress interested.
From the FTC’s announcement of the settlement, we find out that the Snapchat app was harvesting contacts from users without their knowledge or consent, and did not secure the “Find friends” feature that allowed users to search phone numbers.
According to the FTC:
Snapchat's privacy policy claimed that the app only collected the user's email, phone number, and Facebook ID for the purpose of finding friends.
Despite these representations, when iOS users entered their phone number to find friends, Snapchat also collected the names and phone numbers of all the contacts in their mobile device address books.
Snapchat continued to collect this information without notifying or obtaining users' consent until Apple modified its operating system to provide such notice with the introduction of iOS 6.
That’s not all – Snapchat also misrepresented its collection of location data from users of its Android app, which it stored unencrypted, despite claiming otherwise in its privacy statement.
It’s no secret that Snapchat has invited controversy from the get-go, and its handling of privacy concerns has been clumsy.
However, the company now says it is taking user privacy and security seriously.
In its 8 May 2014 blog post, Snapchat said that it will “continue to invest heavily in security and countermeasures to prevent abuse.”
Snapchat’s statement continues:
We are devoted to promoting user privacy and giving Snapchatters control over how and with whom they communicate. That's something we've always taken seriously, and always will.
Snapchat’s shady history
Snapchat’s messenger service initially gained popularity due promises that the selfie images users shared from the app would be deleted after a few seconds, making it ideal for spontaneous sexting.
Not so fast – the pictures and videos stay right on a user’s phone and the recipient can easily grab screenshots or use workarounds to save the snap.
After Snapchat’s rocky beginnings, the company’s rapid growth attracted the attention of Facebook, which offered to buy Snapchat in 2013 for $3 billion.
Snapchat’s founding CEO Evan Spiegel refused the offer, and Facebook turned around to acquire another mobile messenger app, WhatsApp, for $19 billion.
The Snapchat messenger app is most popular with young people, and has been used by 46% of 12-24 year-olds in the US, with 50 million active monthly users.
As we remarked after Snapchat refused to appear before a US Senate committee on data breaches back in March 2014, young companies like WhatsApp and Snapchat have been reckless in their disregard for user data security.
Snapchat now confesses that it was focused on things other than user privacy – which isn’t comforting – and the company only acknowledges some of the truth:
While we were focused on building, some things didn't get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community.
Completely misrepresenting its policies to users was only part of the problem – Snapchat’s total lack of security for the data it collects was most egregious.
Now the company will have the watchful eye of a privacy auditor for the next 20 years, so it will have to follow through on its promises.
Obviously snapchat can’t guarantee what the recipient will do. I could use a digital camera and take a photo of the snapchat on my phone. How are they going to prevent that? How is this snapchats fault?
Snapchat made explicit promises to its users that their snaps would be deleted when they weren’t. That’s called lying.
Snapchat can’t control what users do with the app, but they sure ought to tell the truth about what it does.
Snapchat doesn’t call it “lying,” but instead calls it not being “precise with how we communicated with the Snapchat community” 🙂
What happened to hefty fines from the FTC when a company is so in violation of most every FTC rules? Or did I miss that paragraph?
I suggest you take that up with the FTC! Public commenting is open until June 9th. 🙂