The process of writing this article was much more educational than I anticipated. I started out to write about a breach of Snapchat usernames and phone numbers, so I could warn readers about using this service. Then I found out about the photo leaks—and more.
I also found a significant amount of naiveté demonstrated by some of the bloggers who are speaking with an authoritative voice, but who really don’t seem to understand that there are risks inherent in certain technologies.
And I found that tech sources had their usual boring titles for their articles, but with excellent information. Parenting and mainstream news sites had much more provocative titles, but gave very little information of actual value.
Finally, I found some statistics that I felt were very encouraging, given the demographics of Snapchat users. So let’s dive into some meat.
Snapchat was created by Stanford University students (hmmm…where have we seen this before [cough—Facebook]) as a class project. Material on social media has what we call a “long tail,” it sticks around a long time. One of the objectives was to reduce the stress from having that long-tailed data out there in social media-land. It is a mobile phone app that lets users send images and video clips to other users with whom they have connected via the app. Each item can be viewed for a matter of seconds, anywhere from one to ten seconds as determined by the sender (in one-second increments), and then *poof*– the item is gone. A user can draw on a photo before they send it, and they can use the app like a simple text messenger as well. A sender can save his own photos to his own phone’s gallery, but the recipient is really not supposed to save the photo. There is no “save photo” feature in the app, that’s kind of the whole point of it. The app has emojis in the friend list that indicate the level of interaction with other users.
In order for Snapchat to be of any use, a user needs to have contacts who are also using Snapchat. Snapchat will ask if you want it to search your contacts for other Snapchat users, and if it finds any of your contacts who are also using the app, you can invite them to be your Friend. You can also add the username of another user directly into your Friends, and you can Snap to Add—hover your Snapchat camera over your friends ghost in their profile screen.
In addition to the one-to-one communication, Snapchat can be used to blast out Stories to groups. The Story doesn’t have the ten-second self-destruct button that individual Snaps (items sent through Snapchat are called Snaps) have. Snapchat also has a Discover feature that will allow users to follow people and interest groups.
The short life of the Snaps might cause some users to want to screenshot a Snap before it Poofs away, but when they do that, the sender is notified of it.
Snapchat currently boasts over 100 million monthly active users, sending over 700 million Snaps each day. Just as happened with Facebook, Snapchat experienced a dispute over ownership, which, unlike Facebook, was peacefully resolved.
This matrix shows how Snapchat fits into our communication methods. Friction refers to the things that would keep us from being able to do it quickly. Keeping this in mind, we can see that Snapchat’s growth and popularity have arisen from the ability to have something resembling a real conversation, with all the same emotional involvement that a real face-to-face conversation might have, quickly and easily. In the same way that you can make a facial expression and then change back to your normal expression, Snaps are said to be “ephemeral” in nature. It’s very different from posting a “selfie” on Instagram, Twitter, or Facebook, in that those images are there; they can be deleted, but not completely. The ephemerality of Snaps helps the sender focus on the content, the conversation, rather than on how the content looks. It’s the difference between capturing life in images and then publishing that life online, and living and communicating/ publishing at the same time. Most importantly, users say, it’s popular because it’s fun.
A study conducted by the University of Washington and Seattle Pacific University revealed the following about Snapchat users and usage:
- Only 1.6% of respondents say they used the service primarily for sexting, although 14.2% admitted to having sent sexual content at some point.
- 59.8% say they used it for comedic content such as “stupid faces” and such
- 74.8 say they would NOT be willing to use it for sexting
- 85% say they would NOT be willing to use it to send photos of documents
- 86.6% say they would NOT be willing to send messages containing legally questionable content
- 93.7% say they would NOT be willing to use it to send mean or insulting content
- 79.4% said they knew recovering snaps is possible
- 52.8% say their behavior and/or use is not affected by that.
In May of 2013, Forbes published an article on its site about a forensics examiner in Utah who had been able to recover Snapchat photos and videos from Android phones. I’ve seen the videos of how it’s done. There is plenty of material on the web showing it done for iPhones as well. My purpose here is not to show HOW it can be done, but to alert you to the reality that it CAN be done. Think, now, what this means: that Snapchat photos DON’T DISAPPEAR. They’re NOT GONE FOREVER. They DO exist somewhere and they CAN come back to haunt you. In fact, the forensics examiner had been charged with finding these snaps for divorce cases and missing child cases. But Snapchat had marketed the app on the basis that the photos and videos “disappear.”
On May 16 of 2013, the Electronic Privacy Information Center filed a complaint with the Federal Trade Commission, which you can read in full here: https://epic.org/privacy/ftc/EPIC-Snapchat-Complaint.pdf The basis of the complaint was the misrepresentation that the snaps were “gone forever,” and other security issues. To wit, these were the main points in the complaint:
- Snapchat stored video clips unencrypted on recipient’s device outside of the app’s “sandbox,” videos remained accessible to recipients who connected their devices to a computer and access files through a file directory, or on the phone using a third-party file manager.
- Users were told they would be informed if recipient took a screenshot—but this depended on the recipient using the official Snapchat client, and this feature did not exist before iOS version 7
- Found that the app surreptitiously followed an Android user’s every move, and rather than simply accessing the contact list in an iPhone, it uploaded the entire contact list to Snapchat’s servers.
In that same month, a website, Facebook fan page, and twitter account for Snapchat Leaked appeared to be publishing snaps that had been captured at the recipient end.
In August of that same year, a security research firm named Gibson Security discovered a disturbing number of security flaws in the code that makes up the app. While Snapchat does in fact employ encryption on the images and videos, it is the least effective mode of encryption available. It also uses symmetric key encryption (brief explanation available here), which means that both users of the process use the same key. This is not in and of itself a bad thing, unless ALL users use the same key—and they do. Moreover, Android phones and iPhones use the same key as well. Because of using one key, gaining access to the servers would potentially allow someone to view unread snaps, modify and replace snaps, and see old snaps. This, and several other flaws, Gibson told developers, could allow users to create dummy accounts in bulk. Snapchat was pretty cavalier about it and didn’t respond to the information. Oh—and the key has been published online.
On December 31, 2013, a group calling itself SnapchatDB, using a website called SnapchatDB.info, posted usernames and phone numbers, with the last two digits obscured, of 4.6 million users. They explained their actions: “Our motivation behind the release was to raise the public awareness around the issue, and also put public pressure on Snapchat to get this exploit fixed,” they say. “Security matters as much as user experience does.” (Was your phone number exposed? Go to http://snapchatcheck.com to see. )
A data analytics expert was able to figure out that although there were 323 American and 41 Canadian area codes, the top 10 area codes were concentrated across California, Colorado, Illinois, and New York. However, there were only about 20 states with no phone numbers in the group. (Was your number among those leaked? Find out here by entering your user name or phone number.) Okay, so big deal—it’s just a user name, and the last two digits of the phone number weren’t there. Well, if you’re any good at math, it wouldn’t take long to test all the available combinations where there are only two digits, even though each digit could be anywhere from 0 through 9; that’s only 100 possibilities. It wouldn’t take very long to identify a working phone number and match it up with a user name. And one high school student did just that.
16-year-old Graham Smith was able to use the database disclosure to find the phone number of Snapchat’s co-founder, Bobby Murphy. Although Smith didn’t disclose Murphy’s user name, many of Snapchat’s users use their own name or some form of it as a user name. Smith said he found Murphy’s user name and in less than a minute had his phone number. Smith contacted Murphy via text message and began an email conversation regarding the flaws that Smith had found in his personal research projects, and although Murphy was receptive to the suggestions and concerns, nothing much was done. Snapchat did implement a Snaptcha, similar to the Captcha input processes you see on websites, but very quickly the breakin code to that was published online.
So it just kept getting better and better. Despite Snapchat’s terms of service stating that screen captures are not allowed, and the official Snapchat app alerting another user of the official Snapchat app of a screen having been captured, there are many third-party apps (which are also a violation of the terms of service) that do not send that alert to the sender. In fact there are some client apps that are created with the intent to save the snaps.
In May of 2014 the FTC and Snapchat came to an agreement as to what was needed (Snapchat “settled” with the FTC over the complaint): Snapchat had to revise its claims about privacy, security, and confidentiality of user information. Snapchat also had to implement a comprehensive privacy program that will be monitored by an as-yet-unnamed independent privacy professional for the next 20 years.
As if that wasn’t enough, then there was “The Snappening.” In October of 2014, it was reported that 13 GB of images were released into the wild from a Snapchat third-party client called SnapSaved. SnapSaved at first adamantly denied involvement, but the site was down for a short while after that. SnapSaved later admitted that there was a misconfiguration in its Apache server, and, as it turns out, it was only 500 MB of data, not the 13GB that was first reported. That’s somewhere between 100,000 and 200,000 images and videos, and that’s not very much data, given the daily use of Snapchat, but if one of those images was mine, I’d feel pretty violated.
Snapchat says there’s little they can do about things like that, but that’s not completely accurate. Their website should be running analytics that identifies incoming connections. Those connections should be accepted from authorized sources and rejected from unauthorized sources.
Can Snapchat Be Used Safely?
If you are an avid Snapchat user, none of this will make you stop using the app, and that isn’t my intention. Just keep the following things in mind as you move forward:
- The data exposed could result in text-messaging spam with infectious weblinks. SMS phishing spam is on the rise. The objective is to lure the mobile user into clicking on a malicious link, often using geographical or business references to make it more believable
- Your username can say a lot about you as a user. Your phone number may be just a phone number. Your work address may be just your work address. Each of these items of Personally Identifiable Information (PII) standing alone doesn’t say much. But neither does one piece of a jigsaw puzzle. And, just like a jigsaw puzzle, you don’t need all the pieces to be put into their proper place to get a good idea of what the big picture looks like–you just need enough of the right pieces in the right places. And believe me, the bad guys know which pieces are the right pieces, and which places are the right places.
- 50% of Snapchat users are between 13 and 17. Any mass release of stolen Snapchat images is likely to contain child pornography.
- Snapchat complied with 92% of information requests from the federal government—a higher rate than Yahoo, Twitter, Facebook, or Google. This might include address book contacts, usernames, phone numbers, and the 30-days’ preservation of unopened snaps. Snapchat can also be served with a preservation order.
- On 15 May 2014, the Electronic Frontier Foundation released its 73-page “Who Has Your Back” report on service providers’ privacy and transparency practices regarding government access to user data. Snapchat was ranked lowest in the report in the category of privacy, the only one to earn just one star.
- Robert Siciliano, a McAfee online security expert, said Snapchat users should not have a reasonable expectation that their snaps will remain private.
Additionally, Snapchat has a two-factor authentication method now. It uses a verification code delivered via SMS as a second security measure for customers logging in on new devices, and it can be activated from within a sub-menu in the “settings” section. Security expert Graham Cluley is convinced most users will never turn it on.
As it turns out, Snapchat is both better and worse than I had originally thought. And I am really surprised to see that it is used for sexting far less than its reputation among my peers. The survey also indicated that Snapchat users are very nice people, and very ethical—the activities in which they said they would NOT be willing to engage are those activities in which we would want people to not engage.
The draw to this type of technology is the fantasy that there is no “permanent record” so you don’t have to think that far ahead; but that fantasy just doesn’t exist, and I’m not sure it should. I think a lot of heavy tech users, especially those among us for whom technology has always been a part of life, have a mistaken belief that technology created the long tail I described earlier. I don’t think so. I think that those of us who haven’t relied on technology for our records of conversations have longer tails in our memories; technology may have decreased the attention span of those who depend more heavily on the technologies available, but I can still recall funny faces my children made, or how nervous my husband was when he was asking me for our first date. Of course those things aren’t “out there” for everyone else to see, they’re private in the most private way, and there is no breach of security that can violate that privacy.
With so much of what used to be considered “private” being put “out there” for all to see, it’s possible that people’s conception of what “private” really means, and what it ought to mean, has shifted. And the idea that you can rely on technology to provide “privacy” is not accurate. The Cloud is no place for anything that ought to be kept private. But for all of its other fun features, as long as you are aware that Snapchat’s developers are not paying much attention to security, and that you need to exercise vigilance over anything that contains personally identifiable information, Snapchat sounds like a great way to have a lot of fun with friends you can’t be in the same room with.
If you are a Snapchat user, have you been aware of these breaches? What have you done as a result? Has knowing this made you more or less likely to use Snapchat? Also, I’d love to hear why you love it. I’m not likely to use it, I’m using a product called Cyber Dust, which does the same thing essentially with a little more business orientation to it, but I can see why Snapchat has the fan base it has.