Snapchat, the developer of a popular mobile messaging app, settled Federal Trade Commission (FTC) charges that its promises of "disappearing messages" were false and that it transmitted users' locations and collected their address books without providing notice to users or obtaining their consent.

Complaint

According to the FTC's complaint, Snapchat's mobile application allows consumers to send and receive photo and video messages known as "snaps." The FTC noted that, before sending a snap, the application requires the sender to designate a period of time that the recipient will be allowed to view the snap, and that Snapchat marketed its application as a service for sending "disappearing" photo and video messages, declaring that the message sender "control[s] how long your friends can view your message."

Despite Snapchat's claims, the FTC contended that several methods exist by which a recipient can use tools outside of the application to save both photo and video messages, allowing the recipient to access and view the photos or videos indefinitely. For example, when a recipient receives a video message, the application stores the video file in a location outside of the application's "sandbox" (i.e., the application's private storage area on the device that other applications cannot access). According to the FTC, until October 2013, a recipient could connect his or her mobile device to a computer and use simple file browsing tools to locate and save the video file. Although this method for saving video files was widely publicized as early as December 2012, the FTC contended that Snapchat did not mitigate this flaw until October 2013.

The FTC also asserted that third-party developers built applications – which were downloaded millions of times – that could connect to Snapchat's application programming interface (API), thereby allowing recipients to log into the Snapchat service without using the official Snapchat application. The problem with this, the FTC contended, was that because the timer and related "deletion" functionality were dependent on the recipient's use of the official Snapchat application, recipients could instead simply use a third-party application to download and save both photo and video messages. The FTC claimed further that, in addition to these methods, a recipient could use the mobile device's screenshot capability to capture an image of a snap while it appears on the device screen, and that recipients could "easily circumvent" Snapchat's screenshot detection mechanism.

The FTC also alleged that Snapchat misrepresented its data collection practices by transmitting geolocation information from users of its Android app despite saying in its privacy policy that it did not track or access this information. According to the FTC, Snapchat also collected contact information from users' address books without notice or consent, and continued to do so without notifying users or obtaining their consent until Apple modified its operating system to provide notice with the introduction of iOS 6.

Finally, the FTC's complaint alleged that Snapchat's failure to secure its "Find Friends" feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.

Settlement

Under the terms of its proposed consent agreement with the FTC, Snapchat is prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users' information, including, but not limited to:

  1. The extent to which a message is deleted after being viewed by the recipient;
  2. The extent to which Snapchat or its products or services are capable of detecting or notifying the sender when a recipient has captured a screenshot of, or otherwise saved, a message;
  3. The categories of personal user information Snapchat collects; or
  4. The steps Snapchat takes to protect against misuse or unauthorized disclosure of personal user information.

In addition, Snapchat must implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years.

The Bottom Line

The settlement with Snapchat is part of the FTC's continuing effort to ensure that companies market their apps truthfully and honor their privacy promises to consumers. Companies should note that a statement in a privacy policy is like any other claim – it must be accurate, not deceptive and supportable. In announcing the proposed settlement, FTC Chairwoman Edith Ramirez stated that, "If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises." The FTC's message is a longstanding one, and one that is unlikely to disappear anytime in the near future.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.