Snapchat agreed Thursday to settle Federal Trade Commission charges that it deceived consumers with promises about how soon messages sent through the service would disappear. The FTC case also alleged that the company deceived consumers about the amount of personal data it collected and the security measures taken to protect that data.
In addition, the case alleges Snapchat’s failure to secure its Find Friends feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
According to the FTC’s lawsuit, Snapchat made statements to consumers about its product that didn’t match up to how the app actually worked.
“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez.
Touting the “ephemeral” nature of “snaps,” the term used to describe photo and video messages sent by the app, Snapchat marketed the app’s central feature as the user’s ability to send snaps that would “disappear forever" after the sender-designated time period expired. Despite Snapchat’s claims, the lawsuit describes several simple ways that recipients could save snaps indefinitely.
Consumers can, for example, use third-party apps to log into the Snapchat service, according to the FTC. Because the service’s deletion feature only functions in the official Snapchat app, recipients can use third-party apps to view and save snaps indefinitely.
Despite a security researcher warning the company about this possibility, the lawsuit alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.
Additional charges
- Snapchat stored video snaps unencrypted on the recipient’s device in a location outside the app’s “sandbox,” meaning that the videos remained accessible to recipients who simply connected their device to a computer and accessed the video messages through the device’s file directory.
- Snapchat deceptively told its users that the sender would be notified if a recipient took a screenshot of a snap. However, any recipient with an Apple device that has an operating system pre-dating iOS 7 can use a simple method to evade the app’s screenshot detection, and the app won’t notify the sender.
- The company misrepresented its data collection practices. Snapchat transmitted location information from users of its Android app, despite saying in its privacy policy that it didn’t track or access such information.
- Snapchat collected iOS users’ contacts information from their address books without notice or consent.
Charges related to “Find Friends” feature
The FTC said many consumers complained that they’d sent snaps to someone under the false impression that they were communicating with a friend. However, because Snapchat failed to verify users’ phone numbers during registration, these consumers were actually sending their personal snaps to complete strangers who had registered with phone numbers that didn’t belong to them.
Settlement terms
Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting its privacy, security, or confidentiality of users’ information. In addition, the company will be required to carry out a comprehensive privacy program that will be monitored by an independent privacy professional for 20 years.
The FTC didn't fine Snapchat for its deceptive practices.
