Snapchat pays up over privacy allegations, gets slapped with 20-year probation

Looks like Snapchat’s famously disappearing photos might not be so ephemeral after all.

The Federal Trade Commission (FTC) just issued a statement that Snapchat has agreed to settle some pretty serious charges. The FTC alleges that the startup has been falsely claiming that messages are truly disappearing, as well as other misrepresentations.

[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1469548,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"security,social,","session":"A"}']

Although the settlement agreement is not an admission of any wrongdoing on the part of Snapchat, the company has agreed to alter its marketing and privacy policy claims in accordance with the agreement. It also has to be monitored by an independent privacy professional for the next 20 years.

The two main areas of concern for the FTC are the company’s inaccurate claims over messages’ ephemerality and the company’s failure to fully secure its “Find Friends” feature.

From the agency’s official statement:

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” said FTC Chairwoman Edith Ramirez.  “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

Touting the “ephemeral” nature of “snaps,” the term used to describe photo and video messages sent via the app, Snapchat marketed the app’s central feature as the user’s ability to send snaps that would “disappear forever” after the sender-designated time period expired.  Despite Snapchat’s claims, the complaint describes several simple ways that recipients could save snaps indefinitely.

Consumers can, for example, use third-party apps to log into the Snapchat service, according to the complaint.  Because the service’s deletion feature only functions in the official Snapchat app, recipients can use these widely available third-party apps to view and save snaps indefinitely. Indeed, such third-party apps have been downloaded millions of times.  Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap.

The complaint also alleges that Snapchat stores video messages unencrypted on users’ devices but outside of the app itself, that users with Apple devices with operating system pre-iOS 7 can use a workaround method to take screenshots without notifying the sender, and that the Android app transmits geolocation data despite Snapchat’s privacy policy stating it does not track or collect such data.

As for the improperly secured “Find Friends” feature, the FTC alleges that because Snapchat failed to verify users’ phone numbers during registration, many users, while thinking they were messaging friends, have unknowingly sent messages to strangers who had registered with phone numbers that did not belong to them.

Additionally, Snapchat’s failure to secure this feature led to a recent security breach, and attackers were able to gather a database of 4.6 million usernames and phones. Snapchat then implemented a CAPTCHA-like feature to verify that new users are indeed human. Unfortunately, a security professional quickly found a workaround, showing it may be an ineffective measure.

The company recently released a new chat feature which it also markets as being “ephemeral,” meaning that the chat communication and video-chat content disappears after being viewed.