As a country we are quickly approaching a time in which most adults will be disqualified from being elected to public office because of something they posted on their social media account while growing up. Against this backdrop of over-sharing, Snapchat, Inc. won over the hearts of its users with the promise that its mobile application would permit the user to send messages that would “disappear” after a designated number of seconds. As the popularity of the mobile application grew, so too did concerns regarding its data security practices and its ability to deliver on the promises made to its users. By December 2012, various methods for accessing or keeping photos and video sent through the mobile app (“snaps”) began circulating on the Internet. Then, in the final days of 2013, a vulnerability in the application allowed hackers to obtain and publish millions of Snapchat usernames and phone numbers.
The Federal Trade Commission has announced a settlement with Snapchat that will require Snapchat to implement a comprehensive privacy program and submit to monitoring for a period of 20 years. The FTC’s initial complaint collected statements regarding the disappearance of snaps from Snapchat’s marketing materials and description pages on mobile application platforms. In the examples highlighted by the FTC, Snapchat assures its users that messages “disappear forever” and that each sender “control[s] how long your friends can view your message.” Snapchat’s own FAQ includes the following exchange:
Is there any way to view an image after the time has expired?
No, snaps disappear after the timer runs out . . .
Most of the focus on the settlement has been on the implications of ill-advised selfies surviving beyond their intended lifespan, but for mobile app developers, there are a number of key takeaways that highlight the pitfalls and struggles of successfully bringing a product to market:
Your Marketing Matters – For mobile app products, there is a comparatively higher risk that marketing statements intended to convey the idea of the product can result in material inaccuracies because (i) in a crowded field, new products and services struggle to distinguish themselves and grab the attention of prospective users and (ii) rapidly developing technology can quickly turn an accurate statement into a misleading promise. In the case of Snapchat, both of these factors appear to have been an issue. The simplicity of Snapchat’s marketing description of the “disappearing” snaps failed to reflect a process in which the application saved files outside of the temporary storage area that was primarily used by the application. In addition, third-party developers were able to build programs that could be used to download and permanently save messages. Even as these programs grew in popularity (as noted by the FTC, tens of these third-party applications have been downloaded as many as 1.7 million times on Google Play alone), the marketing materials and product descriptions used by Snapchat remained unchanged long after they continued to be entirely true. Marketing campaigns and publicly-facing product descriptions should be reviewed periodically to ensure that they remain up-to-date and do not sell users a product the service provider cannot deliver.
As a result of this combination of factors, a user could conclude that only his or her phone number was being used. The features considered by the FTC in alleging that Snapchat deceived its users in connection with the Find Friends feature emphasizes the degree to which user expectations matter when it comes to collecting and processing information. As we’ve previously discussed, user consent may not shield you from all negative consequences if the user doesn’t understand what they are consenting to. It is also worth noting that in collecting all data from user contacts, the FTC alleges that Snapchat failed to properly secure the collected data or implement a registration process that prevented the creation of fraudulent accounts. The public relations and regulatory issues faced by Snapchat following incidents of fraud and its own data breach are a reminder that the easiest way to reduce your risk profile is to limit data collection to information that is truly necessary, and implement a retention policy that ensures that unneeded and outdated information is securely destroyed.
Implement a Response Process – As noted above, many of the flaws in Snapchat’s mobile application were known as far back as 2012. According to the FTC’s complaint, Snapchat was notified by third parties about issues related to the storage of snaps and security vulnerabilities, but failed to act on those warnings. We’ve seen an increase in FTC settlements where a service provider’s failure to heed third party security warnings have been a major factor. At this point there is no question that an efficient and specifically-tailored response plan for security feedback should be considered a necessary part of any reasonable information security program.