Snapchat last week joined Google, Facebook and Apple among companies that regularly disclose the number and type of requests they receive from law enforcement for user data.
According to its first Transparency Report – covering the four months between 1 November 2014 and 28 February 2015 – Snapchat received 375 requests for data on 666 user accounts in the United States, and provided some data in 92% of those requests.
Only 28 requests on 35 user accounts came from law enforcement in all other countries combined during that period, and Snapchat turned over some data in just 21% of those requests.
Snapchat said it will provide bi-annual [sic – we infer that Snapchat means “every six months”] transparency reports beginning in July 2015, but “in the interest of transparency” decided to release its first report before it had a full six months of data.
As Snapchat makes clear in its guidelines for law enforcement, Snapchat releases user data “voluntarily” in cases of emergencies, and in non-emergency cases only in response to a warrant or court order.
Because the big idea behind Snapchat’s services is that user messages will be deleted after all recipients have viewed them, message content may not be available – many law enforcement requests will only turn up metadata on who was chatting with whom.
However, in some “limited cases” (such as if the recipient has not opened a message within 30 days), messages are preserved for longer.
Snapchat says it will only turn over message content with a state or federal search warrant.
Law enforcement can also make requests for preservation of user data for up to 180 days.
The transparency report represents a big step for Snapchat, which formerly described its service in a way that might lead users to think turning over their content to law enforcement would be impossible.
Snapchat’s app description in Google Play once said that your messages would “disappear forever,” a complete fabrication that got Snapchat into a lot of trouble with privacy watchdogs (including us at Naked Security).
We’ve written about Snapchat many times in the past year, mostly because the four-year-old messaging service was doing such a bad job of protecting its users’ privacy and security.
Last May, Snapchat settled with a privacy complaint with the US Federal Trade Commission, which slapped the company with a 20-year probation for deliberately misleading users about its “disappearing” messages.
In response to the FTC settlement, and a few other high-profile security incidents, Snapchat appears to be making significant moves to shore up its reputation and protect user privacy.
According to a report from Backchannel, Snapchat has completely locked down its API to prevent access by third-party apps, many of which allow users to archive Snaps in violation of Snapchat’s terms of service.
That should hopefully prevent another case like “The Snappening,” when a breach of third-party service SnapSaved led to thousands of private Snapchat images leaking online.
Jad Boutros, whom Snapchat company hired away from Google in April 2014 to act as its director of information security, told Backchannel he is building a “culture of security.”
By clamping down on third-party apps, Boutros says Snapchat will be able to snuff out spam and other abuses of its service.
One other way Boutros hopes to bring Snapchat into the security mainstream is by opening up its bug bounty program.
If Snapchat hopes to avoid any more epic privacy failures, its newfound “culture of security” and the openness it’s showing with its first transparency report are promising developments.