How to lie, cheat and steal like Snapchat — all the way to the bank
Two weeks ago the Federal Trade Commission announced a settlement agreement with Snapchat, formally acknowledging the app lied about user privacy and security, and took user data without consent.
The settlement amounts to little more than the "private" photo-sharing app being told to stop lying, and to submit privacy reports to the FTC every six months for 20 years.
No fines, restrictions or course-changing controls are to be imposed; under the settlement, Snapchat will be free to keep doing what it's good at.
Good job, FTC. That'll teach 'em.
The New York Times opined that the FTC's settlement for Snapchat is an easily ignored formality, saying that this kind of agreement follows the FTC tradition of empty gestures in holding tech companies accountable to privacy promises.
"It’s possible — and seems likely — that agreements with the government serve mainly to add a veneer of legitimacy over whatever moves the companies planned to make anyway."
But why should we care, it's all over and done with, right?
Not yet.
Snapchat isn't telling anyone, but the period for public comment on the FTC's settlement is now open.
The FTC will review the consent order on June 9 along with public comments, and decide if it's taking the correct action.
First, find out what people want. Then pretend to give it to them
The FTC's detailed complaint leads with a pretty basic falsehood, upon which Snapchat built its business model.
Snapchat promised users their photos disappeared "forever" — an impossible promise that exploits a populace not fully educated about mobile technology's functions and implementations.
"Is there any way to view an image after the time has expired?
No, snaps disappear after the timer runs out..."
Recipients of Snapchat messages could use their devices' screenshot function — or one of many Android or iOS apps, downloaded by millions of users worldwide — to capture an image of a snap while it appeared on their screens, the FTC said.
By the time the FTC looked into whether Snapchat user photos — widely-accepted to be of a very personal nature — were actually "ephemeral," there were over a dozen apps whose express business was to save and collect a user's "disappearing" photos.
The FTC said, "On Google Play alone, ten of these applications have been downloaded as many as 1.7 million times."
Snapchat announced through press outlets in May 2013 that it had added a "screengrab notification system" feature to the app, saying "users are notified if any of their recipients try to take a screenshot of any of your Snapchats."
"We’ll let you know if [recipients] take a screenshot!"
The FTC's settlement agreement notes that this was fiction: recipients were not notified when screenshots were taken, as apparently, "recipients can easily circumvent Snapchat’s screenshot detection mechanism."
Snapchat also told users their sent videos "disappeared" — when, in truth, the videos were actually automatically saved to the recipient's phone.
Until October 2013, recipients could browse their mobile phone via computer to find and save all video files they'd received. The FTC settlement acknowledged that this was because Snapchat stored its video files outside of the app's sandbox.
The great thing about users is that you can do anything you want to them, and they can't refuse.
Snapchat collected the contents of user address books without their consent, and its privacy policy flat-out lied about collecting a user's location information.
Snapchat secretly collected the private user information and shared it with unknown parties.
"Optional to the user, we also collect an email, phone number, and Facebook ID for purpose of finding friends on the service."
This was not optional. When you entered your phone number, Snapchat scraped your entire address book.
"We do not ask for, track, or access any location-specific information from your device at any time while you are using the Snapchat application."
Contrary to Snapchat’s privacy policy, from October 2012 to February 2013, the FTC said Snapchat's Android app "transmitted Wi-Fi-based and cell-based location information from users’ mobile devices to its analytics tracking service provider."
We can assume that little to no privacy protection (such as anonymization) was done with user information since this collection was done in secret.
What didn’t Snapchat lie about?
It's positive to see the FTC include in its report that Snapchat allowed mass-false user account creation.
But the FTC failed to understand the implications when it wrote, "Furthermore, Snapchat failed to implement any restrictions on serial and automated account creation." Plainly put, Snapchat's statements about user numbers were false and impossible to verify. Spam and abuse of users could be rampant.
"I am a young, white, educated male. I got really, really lucky. And life isn't fair. So if life isn't fair — it's not about working harder, it's about working the system."
— Snapchat CEO Evan Spiegel
Verifying user numbers is a problem for Snapchat's investors and partners. However, it also created a larger issue for news outlets and listings that have reported and indexed Snapchat's statements about its user numbers as if they were truthful.
The FTC included that Snapchat ignored the ease of user impersonation, and that this abuse could be done with little technical skill.
Among all the acknowledgements in the FTC's report, the implications for abuse, harassment and misrepresentation are both abundant and stomach-churning.
But the FTC brushed past it saying, "Snapchat could have prevented the misuse and unintentional disclosure of consumers’ personal information by verifying phone numbers using common and readily available methods."
With this settlement agreement, the FTC is sending a message — just not one that makes us feel any better about Snapchat, and all the other Snapchats out there.
And that message is: Party on with your bad self, Snapchat.
It's not like anyone's going to stop you.
ZDNet has reached out for comment to Snapchat and will update if we hear back.
Previously: