On Thursday, mobile messaging application Snapchat agreed to settle Federal Trade Commission (“FTC”) charges that it made false or misleading representations about the ephemeral nature of its messages, the collection of user information, and the nature of its security practices. The FTC Complaint alleges six counts, many of which demonstrate the Commission’s aggressive enforcement of the FTC Act in the mobile space.
According to the Complaint, the Snapchat app allows users to send and receive photo and video messages, or “snaps,” for a limited period of time. In marketing its app, Snapchat has stated that its snaps “disappear forever” after the limited time expires. The company has also said that it will notify senders in the event that a recipient manages to take a screenshot of the message prior to its disappearance.
In Count 1 of the Complaint, the FTC alleges Snapchat’s disappearance claim was false or misleading because users could circumvent Snapchat’s deletion feature by logging on to Snapchat through third-party apps and, for a time, could locate “deleted” messages by connecting their phones to a computer and using local browsing tools. Chairwoman Ramirez, in announcing the Snapchat decision at a lunch program hosted by the Media Institute, noted in response to an audience question that this count did not mean that the FTC was holding Snapchat liable for the actions of unrelated third parties, but that the FTC believes that a developer has an obligation to reform its privacy representations when it is on notice that third parties have widely marketed tools that undermine those representations.
Similarly, the FTC charged that Snapchat’s screenshot notification claim was deceptive because Apple users running on pre-iOS 7 platforms could circumvent Snapchat’s screenshot detection mechanism by pressing the Home button twice, in rapid succession (Count 2).
Finally, the FTC alleges that Snapchat misrepresented that it employed “reasonable” security practices. The FTC grounds this allegation in the fact that Snapchat failed to verify that the phone number entered by a user belonged to the mobile device being used, that Snapchat did not restrict the number of Find Friend requests that could be made, and that Snapchat did not restrict serial or automatic account creation. According to the Complaint, these failures led to a December 2013 data breach, in which hackers compiled a database of 4.6 million Snapchat usernames and phone numbers.
For its violations of Section 5 of the FTC Act, Snapchat agreed to implement a privacy program that will be subject to monitoring for 20 years. Snapchat also agreed to refrain from making future misrepresentations about the extent to which a message is deleted, the extent to which Snapchat may detect or notify screenshots, the information Snapchat collects, and Snapchat’s security measures.