Snapchat Settles FTC Privacy Case

Charges Claim Company Misrepresented Security Features
Snapchat Settles FTC Privacy Case

As part of a settlement with the Federal Trade Commission over privacy and security misrepresentations, Snapchat, which offers a photo and video mobile messaging application, has agreed to launch a comprehensive privacy program that will be monitored for the next 20 years.

See Also: User Entity & Behavior Analytics 101: Strategies to Detect Unusual Security Behaviors

The FTC charged that Snapchat deceived consumers with promises about the disappearing nature of messages sent through the service, according to a May 8 statement. The FTC also alleged that the company deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure.

"If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keeps those promises," says Edith Ramirez, FTC chairwoman. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."

In its complaint, the FTC alleges that users who logged into the Snapchat server through third-party applications could save photo and video messages indefinitely. The service's deletion feature only functions in the official Snapchat app, the FTC says.

Among other allegations, the FTC complaint alleges that Snapchat stored video messages unencrypted on a recipient's device outside of the application's "sandbox," meaning the videos remained accessible to recipients who connected their device to a computer and accessed the video messages through the device's file directory.

The settlement with Snapchat is part of the FTC's ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers, the agency says. Under the terms of its settlement, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security or confidentiality of users' information.

Breach Investigation

The FTC's investigation was triggered by a January breach incident in which a group of hackers using the name SnapchatDB claimed to have compromised the usernames and phone numbers of as many as 4.6 million Snapchat users (see: Snapchat Hack Affects 4.6 Million).

SnapchatDB says it downloaded the information using an exploit in Snapchat and then posted it to a website called, according to the Washington Post. The site has since been suspended.

The breach followed a report posted on Dec. 25 from a security group called Gibson Security that highlighted a Snapchat vulnerability that could enable an attack involving compiling a database of Snapchat usernames and phone numbers.

On May 8, Snapchat acknowledged the FTC settlement in a blog post. "Even before today's consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description and in-app just-in-time notifications," the blog states. "And we continue to invest heavily in security and countermeasures to prevent abuse."

About the Author

Jeffrey Roman

Jeffrey Roman

News Writer, ISMG

Roman is the former News Writer for Information Security Media Group. Having worked for multiple publications at The College of New Jersey, including the College's newspaper "The Signal" and alumni magazine, Roman has experience in journalism, copy editing and communications.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.