(Washington, DC) In a move that could have wide-ranging effects on how Internet and mobile application providers approach both privacy and data security, the Federal Trade Commission (FTC) today entered into a consent order with mobile messaging app provider Snapchat, subjecting the company to a series of requirements aimed at ensuring that Snapchat maintains and protects the privacy, security and confidentiality of any consumer information. The action, which officials labeled as a "significant" move by the agency, follows a complaint issued by the FTC that despite Snapchat's claims, images and videos transmitted via the application did not completely self-destruct and that adequate security of the service was not in place.
In announcing the consent order here at a Media Institute luncheon, FTC Chairwoman Edith Ramirez stressed not only the deceptive claims regarding content self-destruction (recipients could use tools outside of the application to save both photo and video messages), but also the need to maintain strict security practices, particularly when those practices are promoted as part of a product's appeal. "The Snapchat case vividly illustrates that there is no data privacy without data security," she said.
Pointing to the high-profile data breaches over the past year, Ramirez said "despite the threats posed by data breaches, I am concerned that many companies continue to underinvest in data security and make fundamental mistakes when it comes to protecting sensitive consumer information." Hinting at increased action by the FTC when promoted security fails to materialize, Ramirez noted that "the FTC’s enforcement work in this area has shown that some companies fail to take even the most basic security precautions, such as failing to update antivirus software or to require network administrators to use strong passwords."
In making its original complaint against Snapchat, the FTC alleged that despite its claims of implementing adequate security measures, SnapChat "did not employ reasonable security measures to protect personal information from misuse and unauthorized disclosure." It alleged that Snapchat failed to implement proper identity verification upon sign-up, allowing users to send personal images to complete strangers who had registered with false phone numbers. Moreover, the complaint alleges, Snapchat failed to secure its "Find Friends" feature, which resulted in a security breach permitting attackers to compile a database of 4.6 million Snapchat usernames and phone numbers.
In discussing the order with reporters following its release, Chris Olsen, Assistant Director, Division of Privacy and Identity Protection at the FTC said the case is a "new statement in our body of cases" because it tackles "a major player on many platforms with many users" and because Snapchat made "unequivocal express claims about the privacy of its service."
Although the FTC has brought a number of cases against individual apps for deceptive privacy practices and last year sued HTC America for negligently injecting security vulnerabilities in its devices that put sensitive consumer information at risk, the Snapchat case appears to reflect a new direction by the agency in holding companies responsible for failing to meet promised security protections. "If you are making promises about security, privacy or anonymity, you have to keep those promises," Olsen said.
Under the order, which will be put out for 30 days for public comment before it becomes final, Snapchat will have to cease any misrepresentation, establish, implement and maintain a comprehensive privacy program and conduct initial and biennial assessments of and reports on that program from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Those assessments and reports will continue for twenty years. Any violation of the order will cost Snapchat $16,000 per day per new violation or $16,000 per day for a continuing violation.