Snapchat's Reputation is Vanishing (Unlike its Images)

FTC takes it to task for misleading privacy policy, other transgressions. You should take another look at your company's privacy policy.

False advertising complaints can sometimes sound like nitpicking, with the government zeroing in on some offhand comment in a commercial. But the Federal Trade Commission's detailed charges against Snapchat, announced on Thursday, May 8, are devastating because they go to the heart of everything that Snapchat has positioned itself as. (You really should read the full settlement before you use Snapchat again.)

The FTC established that, unlike the wacky "we'll let people pop up your screen without permission" program Snapchat unveiled last week, Snapchat's disappearing texts and images don't actually go away if the recipient doesn't want them to. Snapchat claimed, "We'll let you know if [the recipient] takes a snapshot." The FTC says, "Not so much, no."

Snapchat's privacy policy said, "We do not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application." The FTC: "Snapchat did not disclose that it would, in fact, access location information, and continued to represent that Snapchat did 'not ask for, track, or access any location specific information.' Contrary to the representation in Snapchat's privacy policy, from October 2012 to February 2013, the Snapchat application on Android transmitted Wi-Fi-based and cell-based location information from users' mobile devices to its analytics tracking service provider."

Then there's Snapchat's Find Friends feature. "When the user chooses to Find Friends, Snapchat collects not only the phone number a user enters, but also, without informing the user, the names and phone numbers of all the contacts in the user's mobile device address book." Oops!

That last one was corrected by Snapchat in September 2012, but the FTC stresses that it was hardly because Snapchat saw the error of its ways. "Snapchat did not provide notice of, or receive user consent for, this collection until September 2012, at which time the iOS operating system was updated to provide a notification when an application accessed the user's address book." In other words, Snapchat made the fix only because the OS was about to expose what it was doing.

The FTC also detailed a lack of Snapchat effort to verify phone numbers, which had serious consequences. "From September 2011 to December 2012, Snapchat failed to verify that the phone number that an iOS user entered into the application did, in fact, belong to the mobile device being used by that individual. Due to this failure, an individual could create an account using a phone number that belonged to another consumer, enabling the individual to send and receive snaps associated with another consumer's phone number. Numerous consumers complained to Snapchat that individuals had created Snapchat accounts with phone numbers belonging to other consumers, leading to the misuse and unintentional disclosure of consumers' personal information. For example, consumers complained that they had sent snaps to accounts under the belief that they were communicating with a friend, when in fact they were not, resulting in the unintentional disclosure of photos containing personal information. In addition, consumers complained that accounts associated with their phone numbers had been used to send inappropriate or offensive snaps."

The government also took issue with Snapchat's lack of limits on account creation, which it said was the precise cause of a major Snapchat data breach. "From September 2011 to December 2013, Snapchat failed to implement effective restrictions on the number of Find Friend requests that any one account could make to its API. Furthermore, Snapchat failed to implement any restrictions on serial and automated account creation. As a result of these failures, in December 2013, attackers were able to use multiple accounts to send millions of Find Friend requests using randomly generated phone numbers. The attackers were able to compile a database of 4.6 million Snapchat usernames and the associated mobile phone numbers. The exposure of usernames and mobile phone numbers could lead to costly spam, phishing, and other unsolicited communications."

Snapchat's defense for all of this? "When we started building Snapchat, we were focused on developing a unique, fast, and fun way to communicate with photos. We learned a lot during those early days. One of the ways we learned was by making mistakes, acknowledging them, and fixing them," a Snapchat statement said. "While we were focused on building, some things didn't get the attention they could have." Didn't get the attention they could have? That makes it sound like inadvertent holes weren't noticed. Grabbing the customer data without saying anything? Touting the disappearing images knowing they sometimes didn't? It doesn't look like a lack of attention. It reads far more like it got a whole lot of the wrong kind of attention. The "let's see how much we can get away with" kind of attention.

Some of the false claims rested on statements that the company knew to be not true. Snapchat said there was no way for an image to be seen after the pre-selected time expired, but it knew at the time of quite a few ways to do so, including apps designed for that purpose. How easy was it to get around the screenshot detection? The FTC made a good case that it was stunningly easy: "On versions of iOS prior to iOS 7, the recipient need only double press the device's Home button in rapid succession to evade the detection mechanism and take a screenshot of any snap without the sender being notified. This method was widely publicized."

In short, the attribute that is most identified with Snapchat -- that an image will disappear forever after a few seconds -- was bogus. Oh, it works well enough if the recipient plays by the rules and stays within the app. But consumers can't rely on message recipients to do that. They trusted Snapchat. Their bad.

The good news is that the FTC is starting to force companies to do what they say they do. Look at your own company's privacy policy. How much of it is fully and honestly true? Does it acknowledge all of the ways that the system's safeguards can be outsmarted?

Workarounds are a fact of life in IT. In my last job, a portion of our content required a paid subscription. We asked subscribers to please not make copies of the content and share them publicly. Did a lot of people do it anyway? Absolutely. But we never told subscribers that it was impossible to do. We simply hoped that they would play by the rules.

Years ago, when Amazon was starting its Look Inside the Book feature, it provided no direct way to save the images, in order to make publishers more comfortable. But it could still be done with a simple screen capture. When Amazon announced that it had blocked the hole, we found that the hole existed using less popular browsers. I had the chance at the time to ask Jeff Bezos about the hole, and he was very realistic about it, saying that there's only so much one can do to protect content that is viewable by others. As a practical matter, no one would likely take the many hours required to recreate a book.

But Amazon never said that it couldn't be done.

Therein lies the Snapchat headache. It didn't fib about a minor feature. It directly lied about its most significant features, the heart of its app. Maybe its images don't really disappear, but Snapchat's reputation is starting to.

Evan Schuman has covered IT issues for a lot longer than he'll ever admit. The founding editor of retail technology site StorefrontBacktalk, he's been a columnist for, RetailWeek and eWeek. Evan can be reached at and he can be followed at Look for his column every other Tuesday.

Read more about privacy in Computerworld's Privacy Topic Center.

This story, "Snapchat's Reputation is Vanishing (Unlike its Images)" was originally published by Computerworld.

Copyright © 2014 IDG Communications, Inc.

7 secrets of successful remote IT teams