Snapchat Settles FTC Privacy CaseCharges Claim Company Misrepresented Security Features
As part of a settlement with the Federal Trade Commission over privacy and security misrepresentations, Snapchat, which offers a photo and video mobile messaging application, has agreed to launch a comprehensive privacy program that will be monitored for the next 20 years.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The FTC charged that Snapchat deceived consumers with promises about the disappearing nature of messages sent through the service, according to a May 8 statement. The FTC also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.
"If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keeps those promises," says Edith Ramirez, FTC chairwoman. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."
In its complaint, the FTC alleges that users who logged into the Snapchat server through third-party applications could save photo and video messages indefinitely. The service's deletion feature only functions in the official Snapchat app, the FTC says.
Among other allegations, the FTC complaint alleges that Snapchat stored video messages unencrypted on a recipient's device outside of the application's "sandbox," meaning the videos remained accessible to recipients who connected their device to a computer and accessed the video messages through the device's file directory.
The settlement with Snapchat is part of the FTC's ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers, the agency says. Under the terms of its settlement, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security or confidentiality of users' information.
The FTC's investigation was triggered by a January breach incident in which a group of hackers using the name SnapchatDB claimed to have compromised the usernames and phone numbers of as many as 4.6 million Snapchat users (see: Snapchat Hack Affects 4.6 Million).
SnapchatDB says it downloaded the information using an exploit in Snapchat and then posted it to a website called SnapchatDB.info, according to the Washington Post. The site has since been suspended.
The breach followed a report posted on Dec. 25 from a security group called Gibson Security that highlighted a Snapchat vulnerability that could enable an attack involving compiling a database of Snapchat usernames and phone numbers.