Privacy & Security Matters Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

“Selfie” Assessment – 4 Key Lessons from Snapchat’s Settlement with the FTC

Posted in Data Breach, Federal Trade Commission, Privacy Regulation

Written by Jake Romero, CIPP/US

As a country we are quickly approaching a time in which most adults will be disqualified from being elected to public office because of something they posted on their social media account while growing up.  Against this backdrop of over-sharing, Snapchat, Inc. won over the hearts of its users with the promise that its mobile application would permit the user to send messages that would “disappear” after a designated number of seconds.  As the popularity of the mobile application grew, so too did concerns regarding its data security practices and its ability to deliver on the promises made to its users.  By December 2012, various methods for accessing or keeping photos and video sent through the mobile app (“snaps”) began circulating on the Internet.  Then, in the final days of 2013, a vulnerability in the application allowed hackers to obtain and publish millions of Snapchat usernames and phone numbers.

The Federal Trade Commission has announced a settlement with Snapchat that will require Snapchat to implement a comprehensive privacy program and submit to monitoring for a period of 20 years.  The FTC’s initial complaint collected statements regarding the disappearance of snaps from Snapchat’s marketing materials and description pages on mobile application platforms.  In the examples highlighted by the FTC, Snapchat assures its users that messages “disappear forever” and that each sender “control[s] how long your friends can view your message.”  Snapchat’s own FAQ includes the following exchange:

Is there any way to view an image after the time has expired?

No, snaps disappear after the timer runs out . . .

In addition, the FTC accused Snapchat of (i) failing to accurately disclose the collection of certain sensitive information in its privacy policy, (ii) deceiving users with descriptions of information processed in connection with using certain app features and (iii) failing to reasonably secure collected information.

Most of the focus on the settlement has been on the implications of ill-advised selfies surviving beyond their intended lifespan, but for mobile app developers, there are a number of key takeaways that highlight the pitfalls and struggles of successfully bringing a product to market:

  • Your Marketing Matters – For mobile app products, there is a comparatively higher risk that marketing statements intended to convey the idea of the product can result in material inaccuracies because (i) in a crowded field, new products and services struggle to distinguish themselves and grab the attention of prospective users and (ii) rapidly developing technology can quickly turn an accurate statement into a misleading promise.  In the case of Snapchat, both of these factors appear to have been an issue.  The simplicity of Snapchat’s marketing description of the “disappearing” snaps failed to reflect a process in which the application saved files outside of the temporary storage area that was primarily used by the application.  In addition, third-party developers were able to build programs that could be used to download and permanently save messages.  Even as these programs grew in popularity (as noted by the FTC, tens of these third-party applications have been downloaded as many as 1.7 million times on Google Play alone), the marketing materials and product descriptions used by Snapchat remained unchanged long after they continued to be entirely true.  Marketing campaigns and publicly-facing product descriptions should be reviewed periodically to ensure that they remain up-to-date and do not sell users a product the service provider cannot deliver.

 

  • Use Every Update and Change as an Opportunity to Revisit Your Privacy Practices – The business and products of a start-up or developing product can change frequently.  In the mobile application industry in particular, the pressure to innovate can lead to additional features and functionalities being added under rushed circumstances, but the implementation of any product or business change should be include an assessment of what publicly-facing policies, if any, need to be updated as well.  In this case, the portion of the FTC’s claim involving Snapchat’s failure to disclose collection of information in its privacy policy arose from circumstances so common, they should give pause to every online service provider.  In October 2012, Snapchat began working with an analytics tracking service that collected geolocation data.  After integrating this new function, Snapchat’s privacy policy was not updated to disclose this additional collection and sharing of data so the policy continued to represent that the application does not ask for, track or access location-specific information.  Although certain use and collection of information (such as data analytics) is common in the industry, any change that alters the collection, processing, storage or sharing of data by the application or service should trigger a review of current policies; especially if third parties are involved.

 

  • Collect Only What You Need and Consider User Expectations – Many of the claims in the FTC’s complaint focused on Snapchat’s implementation and operation of its “Find Friends” feature.  This feature allows a user to let Snapchat determine whether that user had friends who use the application.  The FTC alleged that in offering the Find Friends feature to its users, Snapchat implied that the mobile phone number was the only information collected and processed, when in fact the Find Friends feature also collected the names and phone numbers of all the contacts in that user’s address book.  The FTC’s determination process is instructive because it is based on a combination of Snapchat’s policies, a lack of notice, and the appearance of its user interface.  Until February 2013, Snapchat’s privacy policy disclosure regarding Find Friends not only failed to fully describe the information collected by the app in connection with that feature, it also emphasized “phone number” in the list of collected data.  Prior to September 2012, phone contacts were accessed by the app without providing a warning to users (a just-in-time notification was added to the iOS operating system at a later date).  Finally, there is the interface itself (below), which according to the FTC’s allegations, implies that only collection of the phone number is involved.

As a result of this combination of factors, a user could conclude that only his or her phone number was being used.  The features considered by the FTC in alleging that Snapchat deceived its users in connection with the Find Friends feature emphasizes the degree to which user expectations matter when it comes to collecting and processing information.  As we’ve previously discussed, user consent may not shield you from all negative consequences if the user doesn’t understand what they are consenting to.  It is also worth noting that in collecting all data from user contacts, the FTC alleges that Snapchat failed to properly secure the collected data or implement a registration process that prevented the creation of fraudulent accounts. The public relations and regulatory issues faced by Snapchat following incidents of fraud and its own data breach are a reminder that the easiest way to reduce your risk profile is to limit data collection to information that is truly necessary, and implement a retention policy that ensures that unneeded and outdated information is securely destroyed.

  •  Implement a Response Process – As noted above, many of the flaws in Snapchat’s mobile application were known as far back as 2012.  According to the FTC’s complaint, Snapchat was notified by third parties about issues related to the storage of snaps and security vulnerabilities, but failed to act on those warnings.  We’ve seen an increase in FTC settlements where a service provider’s failure to heed third party security warnings have been a major factor.  At this point there is no question that an efficient and specifically-tailored response plan for security feedback should be considered a necessary part of any reasonable information security program.

If you have questions regarding implementing compliance procedures for your application, your Mintz Levin privacy team is here to help.  If, on the other hand, you have questions about what is appropriate to send through Snapchat, we can only advise that in our opinion “duck face” selfies are never okay.