Despite the four-year-old company’s success in knocking it out of the park with a wildly popular messaging service, Snapchat hasn’t hit any home runs when it comes to building a reputation as a trustworthy or privacy-minded company. Snapchat has been cited by the FTC for misrepresenting its privacy practices. It’s left user information exposed to hackers. And it has failed to prevent third-party apps from enabling users to archive Snaps, leading to the “Snappening,” when a hacker accessed thousands of private photos stored by a third-party app that Snapchat didn’t block.
Backchannel’s Steven Levy reports that the last year has been “pivotal” for Snapchat. Its Stories feature, which aggregates a user’s images of a day or event, now generates more images than its core messaging function. The app has added video chat, advertising, and a feature that lets users send money to one another. Its Discover program gives top media organizations a place to share their stories within the app. 800 million Snaps are sent every day as users turn to the app to keep in contact with their friends. And Snapchat’s latest round of funding valued the company at $15 billion.
So Snapchat is making a concerted effort to turn that trend around and prove to users that it can be trusted, Levy reports, “To back up this claim, it’s announcing three developments in its effort to improve security, bolster its privacy protections, and engender trust.” Those three developments are the release of Snapchat’s first transparency report, expansions to the program that rewards coders for finding vulnerabilities that could compromise Snapchat’s security, and efforts to completely shut down the third-party apps that violate the company’s terms of service and put users’ privacy at risk.
Snapchat’s first transparency report
Snapchat published its inaugural transparency report, detailing the number of requests for user information from law enforcement and national security agencies, and how Snapchat responded to them. Levy notes that the volume of requests is low. Law enforcement agencies made just 375 requests affecting 666 accounts from November 1, 2014 to February 28, 2015, and data was produced in response to 92% of these requests. But Levy says the requests often resulted not in message content but in metadata, such as whom the user in question exchanged Snaps with, and Snapchat says that it successfully narrowed the scope of some specific requests.
Expansions to the company’s ‘bug bounty’ program
Snapchat has expanded its so-called “bug bounty” program, which rewards coders from around the world for finding and reporting vulnerabilities that could compromise Snapchat’s security. When coders do find such weak spots in Snapchat’s iOS or Android apps, its main server-side application, or its account management website — and report them with “a clear textual description of the report along with steps to reproduce the vulnerability” — the company rewards them with cash, determining the payment based on the severity of the vulnerability.
Complete shutdown of third-party apps
Snapchat doesn’t publish or allow outside access to its APIs, but third parties have offered apps with an added functionality, but compromise the user’s privacy on Snapchat. Levy reports that for months, the company has been making it more difficult for third-party developers to create such apps, and it’s now introducing new techniques that it hopes will shut the door on them permanently.
Snapchat also made its privacy and security executives available to Backchannel. Tim Sehn, vice president of engineering at Snapchat, told Levy, “Almost every security issue we’ve had since I’ve been here has been related to API abuse.” The week before Sehn became Snapchat’s 18th employee, a publication in a security journal detailed how Snapchat’s API worked. The information enabled third-party developers to build on top of Snapchat, creating rogue apps that opened the door to spam and violated the company’s terms of services, particularly in enabling users to archive Snaps.
Snapchat’s troubled history with security
A 2013 complaint to the FTC stated Snapchat was misleading users by claiming that Snaps always disappeared after viewing. But in some versions of the iOS operating system, the Snaps weren’t deleted, but were simply renamed, enabling savvy users to retrieve them. And many users could save Snaps via the third-party apps. The complaint led to an investigation by the FTC, and perceptions of the seriousness of the investigation vary depending on whom you ask.
Micah Schaffer, a policy and governance expert who joined Snapchat in 2013, told Backchannel that “The FTC’s principal focus was the app store description, written when the founders were back at Stanford.” But Marc Rotenberg, the head of the Electronic Privacy Information Center, which brought the original complaint, told Levy, “It was a deceptive practice. This was the whole basis of their service offering. If you say your message will vanish, then your message has to vanish. Otherwise you’re lying.”
The company had been at work securing the app and users’ information since late in 2013, when hackers began targeting users and employing their accounts to send spam. At the end of 2013, a hacker figured out how to pair the names and phone numbers of four million Snapchat users, taking advantage of the app’s “Find Friends” function. Those names and numbers were then published on the web. Snapchat implemented short-term and long-term fixes, so that when the app suspects malicious activity, it shuts down the “Internet neighborhood” where the threat originates, even at the risk of affecting innocent users. The Find Friends exploit became part of the FTC settlement.
In April 2014, the company hired Jad Boutrous, formerly of Google, to overhaul Snapchat’s security. He dealt with another major spam attack, but meanwhile, the most problematic security issue remained. Outsiders who figured out how to access the company’s APIs inserted spam or created third-party apps, and some let users capture or achieve Snaps, violating the app’s terms of service. When one, called Snapsaved, was hacked, the hackers posted more than 90,000 pictures and videos online.
So Snapchat has now further fortified its APIs to block the access of those third-party apps. It’s working with Apple and Google to try to remove apps that violate Snapchat’s terms of service from their stores, and it’s cracking down on users who install these types of apps, eventually locking their accounts if they persist in using these apps after being warned.
Some privacy advocates maintain that Snapchat still has some ground to cover in protecting the security of its users’ data. They complain that the company hasn’t implemented end-to-end encryption, which would make an image or a video un-viewable by anyone, including Snapchat, from the moment a user produces a Snap to the moment the intended user receives it. Levy reports that Snapchat doesn’t currently plan to implement such encryption, but its executives cite their continuing progress in fortifying the app against attacks and vulnerabilities.
And the company believes that its constant deletion of users’ data is a “competitive advantage,” one that demonstrates the regard it has for users’ security and privacy. Sehn tells Levy, “We care enough to delete their data. That is something that most companies don’t do because that data is valuable. It costs us something to do that. So it’s definitely part of the ethos that has been there since the start.”