Snapachat, the maker of the popular video and photo chat app, has agreed to settle charges by the Federal Trade Commission that the company misrepresented the supposedly ephemeral nature of the messages users send and failed to take adequate security precautions with the data it collects, leading to a data breach earlier this year that leaked information belonging to 4.6 million users.

The FTC settlement, announced Thursday, requires that the company refrain from misrepresenting the security and privacy of its app and will be required to put in place a privacy program monitored for 20 years by a third party. The commission alleges in its complaint that not only were the “snaps”, or messages, sent by users not strictly ephemeral, as it had promised, but that the Find Friends feature of the app wasn’t secured properly, leading to users sending snaps to strangers who registered with the wrong phone numbers.

“If a company markets privacy and security as key selling points in pitching its service to consumers, it is critical that it keep those promises,” FTC Chairwoman Edith Ramirez said in a statement. “Any company that makes misrepresentations to consumers about its privacy and security practices risks FTC action.”

In January, Snapchat acknowledged a massive data breach in which attackers were able to compromise 4.6 million usernames, passwords and phone numbers belonging to the app’s users. The Snapchat data breach drew the interest of the FTC, which began investigating the company’s practices and claims about its service. The app is designed to send photo and video messages between users, and the company claimed that the messages were ephemeral and disappeared soon after being sent. However, the FTC alleges that wasn’t strictly true and that there were several methods users could employ to retrieve them later.

“Consumers can, for example, use third-party apps to log into the Snapchat service, according to the complaint.  Because the service’s deletion feature only functions in the official Snapchat app, recipients can use these widely available third-party apps to view and save snaps indefinitely. Indeed, such third-party apps have been downloaded millions of times.  Despite a security researcher warning the company about this possibility, the complaint alleges, Snapchat continued to misrepresent that the sender controls how long a recipient can view a snap,” the FTC press release says.

The commission also said that video snaps were stored in unencrypted storage areas outside the app’s sandbox

The commission also said that video snaps were stored in unencrypted storage areas outside the app’s sandbox and collected iOS users’ contact information from their address books without notice or consent.

“Snapchat’s privacy policy claimed that the app only collected the user’s email, phone number, and Facebook ID for the purpose of finding friends.  Despite these representations, when iOS users entered their phone number to find friends, Snapchat also collected the names and phone numbers of all the contacts in their mobile device address books,” the FTC release says.

Snapchat officials said that the company had amended the wording of its privacy policy and in-app notifications to be clearer.

“While we were focused on building, some things didn’t get the attention they could have. One of those was being more precise with how we communicated with the Snapchat community,” the company said.

There was no fine announced as part of the settlement.

Categories: Data Breaches, Government, Mobile Security, Privacy