Snapchat, the developer of a popular mobile messaging app, settled Federal Trade Commission (FTC)  charges that its promises of “disappearing messages” were false and that it transmitted users’ locations  and collected their address books without providing notice to users or obtaining their consent.

COMPLAINT

According to the FTC’s complaint,  Snapchat’s mobile application allows  consumers to send and receive  photo and video messages known  as “snaps.”  The FTC noted that,  before sending a snap, the application  requires the sender to designate a  period of time that the recipient will  be allowed to view the snap, and that  Snapchat marketed its application as  a service for sending “disappearing”  photo and video messages, declaring  that the message sender “control[s]  how long your friends can view your  message.”

Despite Snapchat’s claims, the FTC  contended that several methods exist  by which a recipient can use tools  outside of the application to save both  photo and video messages, allowing  the recipient to access and view the  photos or videos indefinitely.  For  example, when a recipient receives a  video message, the application stores  the video file in a location outside of  the application’s “sandbox” (i.e., the  application’s private storage area on the device that other applications  cannot access).  According to the FTC,  until October 2013, a recipient could  connect his or her mobile device to a  computer and use simple file browsing  tools to locate and save the video file.   Although this method for saving video  files was widely publicized as early as  December 2012, the FTC contended  that Snapchat did not mitigate this flaw  until October 2013.

The FTC also asserted that third-party  developers built applications – which  were downloaded millions of times  – that could connect to Snapchat’s  application programming interface  (API), thereby allowing recipients  to log into the Snapchat service  without using the official Snapchat  application.  The problem with this,  the FTC contended, was that because  the timer and related “deletion”  functionality were dependent on the  recipient’s use of the official Snapchat  application, recipients could instead  simply use a third-party application to  download and save both photo and  video messages.  The FTC claimed  further that, in addition to these  methods, a recipient could use the  mobile device’s screenshot capability to capture an image of a snap while it  appears on the device screen, and that  recipients could “easily circumvent”  Snapchat’s screenshot detection  mechanism.

The FTC also alleged that Snapchat  misrepresented its data collection  practices by transmitting geolocation  information from users of its Android  app despite saying in its privacy  policy that it did not track or access  this information.  According to the  FTC, Snapchat also collected contact  information from users’ address  books without notice or consent, and  continued to do so without notifying  users or obtaining their consent until  Apple modified its operating system to  provide notice with the introduction of  iOS 6.

Finally, the FTC’s complaint alleged  that Snapchat’s failure to secure its  “Find Friends” feature resulted in a  security breach that enabled attackers  to compile a database of 4.6 million  Snapchat usernames and phone  numbers.

SETTLEMENT

Under the terms of its proposed  consent agreement with the  FTC, Snapchat is prohibited from  misrepresenting the extent to which  it maintains the privacy, security, or  confidentiality of users’ information,  including, but not limited to:

  1. The extent to which a message is  deleted after being viewed by the  recipient;
  2. The extent to which Snapchat or its  products or services are capable of  detecting or notifying the sender  when a recipient has captured a  screenshot of, or otherwise saved, a  message;
  3. The categories of personal user  information Snapchat collects; or
  4. The steps Snapchat takes to  protect against misuse or  unauthorized disclosure of personal  user information.

In addition,Snapchat must implement  a comprehensive privacy program that  will be monitored by an independent  privacy professional for the next 20 years.

THE BOTTOM LINE

The settlement with Snapchat is part of the FTC’s continuing effort to ensure that  companies market their apps truthfully and honor their privacy promises to  consumers.  Companies should note that a statement in a privacy policy is like any  other claim – it must be accurate, not deceptive and supportable.  In announcing the  proposed settlement, FTC Chairwoman Edith Ramirez stated that, “If a company  markets privacy and security as key selling points in pitching its service to  consumers, it is critical that it keep those promises.” The FTC’s message is a  longstanding one, and one that is unlikely to disappear anytime in the near future.