FTC Finalizes Snapchat Settlement
Agency's Investigation Triggered by Data BreachThe Federal Trade Commission has approved a final order settling charges that Snapchat, which offers a photo and video mobile messaging application, deceived consumers with promises about the disappearing nature of messages sent through the service.
See Also: Gartner Market Guide for DFIR Retainer Services
The settlement is part of the FTC's ongoing effort to ensure companies truthfully market their apps and keep the privacy promises made to consumers. As part of the order, Snapchat is prohibited from misrepresenting the extent to which it maintains the privacy, security or confidentiality of users' information.
In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years, the FTC says.
Case Background
The FTC's investigation was triggered by a January 2014 breach in which a group of hackers using the name SnapchatDB claimed to have compromised the usernames and phone numbers of as many as 4.6 Million Snapchat users.
SnapchatDB says it downloaded the information using an exploit in Snapchat and then posted it to a website called SnapchatDB.info, according to the Washington Post. The site has since been suspended.
The breach followed a report posted on Dec. 25, 2013, from a security group called Gibson Security that highlighted a Snapchat vulnerability that could enable an attack involving compiling a database of Snapchat usernames and phone numbers.
On May 8, 2014, Snapchat acknowledged the pending FTC settlement in a blog post. "Even before today's consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description and in-app just-in-time notifications," the blog stated. "And we continue to invest heavily in security and countermeasures to prevent abuse."
FTC Investigation
The FTC had alleged that Snapchat deceived consumers about the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.
"If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keeps those promises," said Edith Ramirez, FTC chairwoman. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."
In its complaint, the FTC alleged that users who logged into the Snapchat server through third-party applications could save photo and video messages indefinitely. The service's deletion feature only functions in the official Snapchat app, the FTC said.
Among other allegations, the FTC complaint alleged that Snapchat stored video messages unencrypted on a recipient's device outside of the application's "sandbox," meaning the videos remained accessible to recipients who connected their device to a computer and accessed the video messages through the device's file directory.
Addressing Third-Party Apps
In November 2014, Snapchat implemented a new third-party applications policy for its users following an October incident where Snapchat photos were apparently leaked online (see: Snapchat Photos Apparently Leaked.
"We will notify Snapchatters when we have detected that they may be using third-party apps and we'll ask those Snapchatters to change their password and stop using unauthorized apps," the company said.
The new policy was designed to improve the security and reliability of the service, Snapchat said. "We've enjoyed some of the ways that developers have tried to make Snapchat better," the company said. "Unfortunately, some developers build services that trick Snapchatters and compromise their accounts."