On Thursday May 8, 2014, mobile messaging application Snapchat agreed to settle Federal Trade Commission (“FTC”) charges that it made false or misleading representations about the ephemeral nature of its messages, the collection of user information, and the nature of its security practices. The FTC Complaint alleges six counts, many of which demonstrate the Commission’s aggressive enforcement of the FTC Act in the mobile space.
According to the Complaint, the Snapchat app allows users to send and receive photo and video messages, or “snaps,” for a limited period of time. In marketing its app, Snapchat has stated that its snaps “disappear forever” after the limited time expires. The company has also said that it will notify senders in the event that a recipient manages to take a screenshot of the message prior to its disappearance.
In Count 1 of the Complaint, the FTC alleges Snapchat’s disappearance claim was false or misleading because users could circumvent Snapchat’s deletion feature by logging on to Snapchat through third-party apps and, for a time, could locate “deleted” messages by connecting their phones to a computer and using local browsing tools. Chairwoman Ramirez, in announcing the Snapchat decision at a lunch program hosted by the Media Institute, noted in response to an audience question that this count did not mean that the FTC was holding Snapchat liable for the actions of unrelated third parties, but that the FTC believes that a developer has an obligation to reform its privacy representations when it is on notice that third parties have widely marketed tools that undermine those representations.
Similarly, the FTC charged that Snapchat’s screenshot notification claim was deceptive because Apple users running on pre-iOS 7 platforms could circumvent Snapchat’s screenshot detection mechanism by pressing the Home button twice, in rapid succession (Count 2).
The Complaint goes on to charge that Snapchat’s analytics tracking service provider collected users’ location information, in violation of Snapchat’s privacy policy, which stated that Snapchat did not collect location data (Count 3). It also charges that, when users employed the Find Friends feature, Snapchat collected the names and phone numbers of all contacts in the user’s mobile device address book, also in violation of its privacy policy (Count 5), and without user consent (Count 4).
Finally, the FTC alleges that Snapchat misrepresented that it employed “reasonable” security practices. The FTC grounds this allegation in the fact that Snapchat failed to verify that the phone number entered by a user belonged to the mobile device being used, that Snapchat did not restrict the number of Find Friend requests that could be made, and that Snapchat did not restrict serial or automatic account creation. According to the Complaint, these failures led to a December 2013 data breach, in which hackers compiled a database of 4.6 million Snapchat usernames and phone numbers.
For its violations of Section 5 of the FTC Act, Snapchat agreed to implement a privacy program that will be subject to monitoring for 20 years. Snapchat also agreed to refrain from making future misrepresentations about the extent to which a message is deleted, the extent to which Snapchat may detect or notify screenshots, the information Snapchat collects, and Snapchat’s security measures.
The Snapchat settlement is part of the FTC’s ongoing campaign “to ensure that companies market their apps truthfully.” And, while Count 4 appears to be typical of the FTC’s past privacy enforcement actions, the others cement the FTC’s aggressive stance in the mobile piracy arena: Counts 1 and 2 are worth noting because they allege that the company made false or misleading statements where the deceptive nature of the statements was the result of users’ and third parties’ misuse of the company’s product. Count 3 reinforces the fact that the FTC will not hesitate to act where the actions of a third party service provider violate a company’s privacy policy. Count 5 alleges that Snapchat did not “design” its program with sufficient security protections, which may indicate that the FTC will begin focusing not only on results, but also on the design processes—a crucial element of “privacy by design.” And, Count 6 cautions that the FTC will adopt a broad view of what it considers to be failed security practices, especially where a breach occurs.