On May 8, 2014, Snapchat, Inc., the developer of a popular mobile messaging app, entered into a consent order settling Federal Trade Commission (FTC) charges for deceiving consumers with promises about the disappearing nature of messages sent through the service. The case and events leading up to it provide a cautionary tale for all companies involved in marketing, providing apps, or having control of private consumer information.
Snapchat gained notoriety for its advertised "ephemeral" nature of photo and video messages ("snaps") sent via the app. It claimed the messages would "disappear forever" after the sender-designated time period expired (usually ten seconds). The FTC complaint, however, described several simple ways that recipients could save snaps indefinitely. For instance, because Snapchat's deletion feature only functioned in the official Snapchat app, recipients could use widely available third-party apps to view and save snaps indefinitely. The FTC alleged that such third-party apps had been downloaded millions of times. The complaint also alleged that a security researcher warned Snapchat about the risk, but Snapchat continued to misrepresent that the sender "controls" how long a recipient can view a snap. In addition, the FTC alleged that, contrary to Snapchat's representation that the sender would be notified if a recipient took a screenshot of the snap, any recipient using an Apple device with an operating system pre-dating iOS 7 could evade the apps' screenshot detection and notification process.
The FTC was also concerned with privacy misrepresentations relevant to many companies providing apps. For example, the FTC alleged that Snapchat transmitted geolocation information from users of its Android app, that it deceived consumers over the amount of personal data it collected and the security measures taken to protect that data from misuse and unauthorized disclosure, and that it failed to secure its "Find Friends" feature, resulting in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
Chair Edith Ramirez expressed the agency's central concern. "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises," she said. "Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action."
Under the terms of its settlement, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users' information. In addition, the company must implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.
The FTC claims that the Snapchat settlement is part of the FTC's "ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers" and is part of a multi-national enforcement sweep on mobile app privacy by members of the Global Privacy Enforcement Network, a cross-border coalition of privacy enforcement authorities.
The FTC action against Snapchat provides useful lessons:
- The two primary problems that appeared to lead to the FTC interest in Snapchat were the ability of users to access Snapchat photos through a "back door" using a third-party app and the recipients' ability to evade the screen shot notification. Public reports indicate that Snapchat was notified of the first issue and allegedly failed to react quickly to fix it or change its disclosures. In addition to being wary of the potential for such access, companies should respond quickly when such security vulnerabilities are pointed out. In addition, app developers and legal teams should tailor representations to note differences in operating systems or other factors that may affect representations. In this case, a carefully worded disclosure about pre-iOS 7 operating systems might have avoided the alleged misrepresentation about the screen shot notification feature, and would likely have limited future liability with respect to private actions.