Regulators reprimand Snapchat over false claims about messaging service

http://www.theguardian.com/technology/2014/may/08/snapchat-ftc-false-claims-messaging-service

Version 0 of 1.

US regulators have slapped Snapchat, the mobile messaging service, for falsely promising its users that their messages “disappear forever”.

The Federal Trade Commission (FTC) said on Thursday that the fast-growing service had deceived people about the privacy of the messages sent through its service and secretly collected sensitive information about its users.

Services promising users greater privacy have become increasingly popular in the wake of National Security Agency whistleblower Edward Snowden’s revelations. According to Snapchat, this month users are sending 700m photos and videos per day. Snapchat messages, known as snaps, are timed to delete after they have been viewed.

The FTC said that, in marketing its service, Snapchat failed to disclose the ease with which users can save a message by taking an undetectable screenshot or by using a third-party program. Apps allowing snap recipients to copy and store messages indefinitely have been downloaded “millions of times”, said the FTC. Despite a security researcher warning the company about this possibility, the FTC said, “Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.”

Christopher Olsen, assistant director in the division of privacy and identity protection at the FTC, said: “The agency certainly supports the development of privacy protected apps, but if there is one message we want to make clear, it’s that if you make promises about privacy, you must honor them.”

The FTC alleged that Snapchat deceived consumers over the amount of personal data it collected and the security measures taken to protect that data. The commission said the company collected location details unbeknownst to users. It also criticised Snapchat’s failure to secure its “Find Friends” feature, which looks through someone’s phone contacts to see if they are on the service. That failure led to a security breach that allowed attackers to compile a database of 4.6m Snapchat usernames and phone numbers.

Snapchat did not verify users' phone numbers on its Find Friends feature. As a result, people could register someone else’s phone number as their own, leading users to send to complete strangers snaps they had assumed were going to a friend.

The investigation followed a complaint from Electronic Privacy Information Center (EPIC) to the FTC which charged Snapchat with using “unfair and deceptive acts and practices”.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said the FTC chairwoman, Edith Ramirez. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

A number of “anonymous” apps including Whisper and Secret have been launched recently promising the ability to post unidentified messages. Olsen said the FTC was increasingly focussing on mobile apps but declined to comment on whether others were under investigation.

“There is a demand out there that apps are moving to fill,” said Olsen. “We think that sort of competition is a good thing, but again, we are very focussed on making sure that the companies that make these promises stand ready to meet them.”

In a blogpost Snapchat said: “When we started building Snapchat, we were focused on developing a unique, fast and fun way to communicate with photos. We learned a lot during those early days. One of the ways we learned was by making mistakes, acknowledging them, and fixing them.

“While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community.”

The company has entered into a consent decree with the FTC that prohibits it misrepresenting the extent to which it maintains the privacy, security or confidentiality of users’ information. Snapchat will be required to implement a comprehensive privacy programme that will be monitored by an independent privacy professional for the next 20 years.

“Even before today’s consent decree was announced, we had resolved most of those concerns over the past year by improving the wording of our privacy policy, app description, and in-app just-in-time notifications. And we continue to invest heavily in security and countermeasures to prevent abuse,” said Snapchat.

“We are devoted to promoting user privacy and giving Snapchatters control over how and with whom they communicate. That’s something we’ve always taken seriously, and always will.”