Snapchat’s breach of trust: What’s the big deal?

Easily one of the most addictive time wasters ever to emerge from Silicon Valley, Snapchat has grown by leaps and bounds over the past two years.  Yet for anyone watching this juggernaut from the sidelines – meaning neither as a user nor as an investor – there really isn’t much there to like.

Here is a company built to take advantage of the fact that sexting trends worldwide are being facilitated by the ubiquity of powerful smartphones. In the hands of teens – and immature adults – those devices become more than a way to take selfies to be shared with family. They’re a liability. They can be hacked, lost, kept under surveillance, infected, stolen and otherwise turned into a user’s worst nightmare.

Enter Snapchat. A simple application that offers you(th) the opportunity of sending those flirty images with the promise of teasing recipients for 10 seconds before erasing them. In so doing, it encourages risky behaviour in young people and compels users to share detailed personal information with the system. In exchange, it offers the certainty that it will collect a lot information about you and provides a curt phrase on the “security” of the information: “We take reasonable measures to help protect information about you.”

Apparently the company’s understanding of ‘reasonable’ isn’t anywhere near the concept I was taught in high school, because co-schemers Evan Spiegel and Bobby Murphy (along with a staff of 20 which includes one David Kravitz) have been ignoring warnings about the insecurity of their software since last summer. As is ‘reasonable’ in the security industry, white hat hackers who discover vulnerabilities in code routinely report it in confidence to the affected site or company, which in turn is responsible for prompt remediation. Many companies offer bounties and rewards along with credit and recognition.

What did Snapchat – whose value was estimated at up to $4 billion before this fiasco – do? It ignored a report indicating the ease of stealing, and creating, Snapchat profiles en masse. It negligently failed to fix a gaping security hole – and one that could be addressed with 10 lines of code – for four months. That is until they watched as 4.6 million real names and redacted phone numbers became public online, exposing their trusting user base. And then what did they do? Not much.

So you can see that what was intuitively a bad idea turned into a dangerous business and eventually into a damaging situation for everyone involved.

Is there anything positive about this mess? Here are 5 things:

1. It serves to temporarily bring people back to reality – if only briefly – and realize that there is little reason to trust a system built specifically to exploit and amplify the tendency of people to engage in impulsive, addictive and potentially dangerous behaviour (not to mention cyberbullying).

2. It makes clear the fact that the company not only can’t protect user privacy, but has shown little interest in providing security.

3. It reminds parents to be more vigilant about apps that stand to make a permanent dent in their family’s dignity (and safety). Lest you think the company doesn’t care, it published a guide for parents.

4. It educates exuberant or hungry investors about (or perhaps distracts them from) seeking out fast-growing opportunities before conducting proper due diligence.

5. Finally, the public gets to learn by example – and victims the hard way –  about the different mental risk calculations we should all conduct more rigorously when opting to share information digitally, be it professional data or intimate pictures.

While I have no illusions about the fact that this breach of trust will eventually be nothing but a temporary hiccup in this misguided juggernaut’s rearview mirror, in the near term I agree with those in the know: Snapchat should lawyer up, and fast.

Claudiu Popa
Claudiu Popa
Claudiu Popa is a security and privacy advisor to Canadian enterprises, associations and agencies. He is an author, speaker and lecturer. Connect with him on Twitter @datarisk, Facebook, G+ or LinkedIn.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Latest Blogs

ITB in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.