Snapchat may face legal action and government probes into a security breach last month that exposed personal information of 4.6 million users of its photo-sharing app, experts tell TheWrap.
The social media upstart shot to prominence by providing customers with a sense of security that the images they shared with one another would not wind up adorning the public square. That’s because pictures distributed via Snapchat are timed to delete, making the app a favorite tool for “sexting.”
Consequently, privacy experts argue that the Snapchat is in violation of Federal Trade Commission guidelines, which state that once a business provides security assurances to customer, it must make good on those promises.
When the company was hacked by the website SnapchatDB.info in December, no photos were leaked — only usernames and phone numbers that were partially redacted. SnapchatDB.info claimed it only wanted to expose the company’s security vulnerabilities, but even though financial information and private correspondence wasn’t exposed, regulators may be unmoved.
“I would not be surprised if the FTC picked this up,” Robert Ellis Smith, a lawyer and publisher of Privacy Journal, told TheWrap. “Past cases have involved social security numbers, addresses and birth dates. It’s not limited to financial information … Phone numbers are much more sensitive now than they were before. Because they’re linked to cell phones, they can be a way of locating you in real time.”
A spokesperson for the FTC declined to comment and a spokesperson for Snapchat did not respond to requests for comment.
In the past, Google and Facebook have been penalized when they’ve compromised the personal data of users intentionally or otherwise, so there’s precedent. That’s to say nothing of investigations led by state attorneys general or class action lawsuits that might arise in the wake of the intense scrutiny being directed at Snapchat’s business practices.
If Snapchat is found to have violated privacy promises, the price tag for its negligence could be on the order of tens of millions of dollars, attorneys say.
“Over the past year and half, the FTC and states like California have really stepped up their efforts to crack down on violations of privacy and breaches of security similar to what happened at Snapchat,” Adam D.H. Grant, a partner at Alpert Barr & Grant and chief legal contributor to App Developer Magazine, said.
On Friday, the Electronic Privacy Information Center, which complained to the FTC last July that Snapchat wasn’t actually destroying some of the pictures and videos it assured consumers would immediately disappear after they were sent, expressed concerns about the breach.
David Jacobs, consumer protection counsel, said the FTC should examine the hacking at Snapchat and determine whether it used reasonable data security protection. While the information that the Snapchat breach revealed may at first blush seem less sensitive than a recent hacking at Target that exposed consumers’ credit card data, any release of private information can have dire consequences.
“It is hard to assume in each case whether the breach is serious because a lot of times seemingly innocuous information can be re-used by consumers for other accounts,” he said. Details of passwords or personal information can supply essential background that helps identity thieves target prey.
In the Snapchat case, he said the even with digits missing, publishing phone numbers could increase cellphone spam.
“While the last two digits are obscured, someone could easily automate the sending of messages and consumers certainly hate receiving spam,” he said.
At minimum, Jacobs suggested that the FTC should force Snapchat to tell its members which numbers were publicly released. From a legal standpoint, Snapchat’s response to the hacking is of little consequence. Its actions before SnapchatDB.info got ahold of its users’ data is what will concern any investigators.
“What is going to be relevant in a legal proceeding is what was done before this happened,” Grant said. “What procedures did they have in place and what kind of analysis and testing of those procedures had they done prior to the hacking?”
However, an over-stretched federal government may limit any FTC action, some experts say, making state investigations a more likely outcome.
“Given the limited resources the federal government has, this may be a case where a state attorney general or a local D.A. ends up pursuing the situation,” Susan Kohn Ross, a partner at Mitchell Silberberg & Knupp, said. “2014 is an election year and privacy violations may be a good issue to take on for an ambitious attorney general looking to make a name for themselves.”
Ira Teinowitz contributed to this report.