Stanford CIS

Don’t Listen to Snapchat’s Excuses. Security Is Its Job

By Woodrow Hartzog on

Cross-posted from Wired.

If you’re a Snapchat user, you should know something: The “Snappening” is not your fault.

On Sunday, the threat of what has been dubbed “The Snappening” actually happened. Hundreds of thousands of pictures and videos taken by users of the popular ephemeral media service Snapchat were intercepted by hackers and, after a few days of bragging and bluster, they were finally posted online in a 13GB dump. Details are still rolling in on how this attack might have been carried out, but signs point to the use of insecure, unauthorized third-party software designed to let users store “disappearing” snaps. The third party software service SnapSaved.com has confirmed it was compromised as part of this attack.

As a company that is already the subject of an FTC complaint regarding privacy and data security, Snapchat was quick to proclaim that they did nothing wrong, promptly issuing a statement which read “We can confirm that Snapchat’s servers were never breached and were not the source of these leaks.” Then the company promptly blamed its users, saying “Snapchatters were allegedly victimized by their use of third-party apps to send and receive Snaps, a practice that we expressly prohibit in our Terms of Use precisely because they compromise our users’ security.”

The guidance and rules are buried in the fine print with no explanation for the ban on third-party software. This dense, boilerplate agreement places the burden of securing against this attack on the party in the relationship least likely to have knowledge of the vulnerability—the user. People who relied upon the app’s implicit promise of ephemera and relative safety wouldn’t be wrong to feel betrayed by Snapchat’s “it’s not us, it’s you” attitude.

While it’s true that everyone must exercise caution online and take responsibility for good data security, placing all of the blame on users for this breach is misguided. Good data security means effectively educating users so they can work with companies to protect information. Two crucial lessons from this hack and the response to it must be incorporated in the US’s evolving approach to the law and policy of data security. First, companies must educate their users about risks in regular language, not boilerplate legalese. Second, technologies that promise relative privacy must provide better data security than traditional social media. Let’s break them both down.

Users Can Only Act Responsibly When They Know What Is Risky

Of course, everyone who uses the Internet must accept some responsibility for securing our personal data. We should select strong passwords and keep them safe. We should learn how to spot obvious phishing attempts and scam applications. We can’t just do whatever we want to on the Internet and expect companies to protect us against all threats.

But even if the burden of protection was rightfully on users in this instance, most were probably unaware of the security risk posed by third-party applications. Third-party applications for social media are quite common. The application marketplaces for Apple and Google regularly feature third party applications for Twitter, Facebook, and even Snapchat. Snapchat claims to have been diligent in patrolling these applications, but the average user would likely have no idea such popular technologies were so risky and prohibited by Snapchat. Shifting risk onto users through contracts that no consumer should be expected to read cannot be how data security is approached in the modern age.

Data security is opaque to most of us. It is almost impossible to tell which companies have reasonable data security practices. We are also poorly equipped to monitor the complex and rapidly changing threats to data security for each technology we use. If a common practice like using third-party applications is forbidden, notice should be much clearer. Companies should notify us through the user interface, not the fine print. And if meaningful notice is unfeasible, then companies remain responsible.

Companies That Encourage Intimate Sharing Must Do Better

We don’t yet know the exact details of this leak. But it seems that most of these photos were obtained by unauthorized third-party applications that used Snapchat’s application programming interface (aka its API). In Andy Greenberg’s informative analysis of the attack, he notes that security experts think that “there’s no easy fix for that backdoor into [Snapchat’s] not-so-disappearing data.”

But reasonable data security for technologies designed to encourage intimate and voluminous disclosures requires much more than an “easy fix.” While API security is challenging for all social media, it is paramount for a company that marketed “disappearing” messages, inspired many third-party apps that reverse engineer its API, and has already been subjected to a complaint by the Federal Trade Commission that specifically faulted the company for an insecure API.

Perhaps it would be unreasonable to expect most modern software applications to take extraordinary steps to secure their API. But ephemeral media companies are extraordinary. There is more that these companies can and should do to protect the trust their users have placed in them. While it is difficult, there are ways to ensure that only authorized software can interact with an API, like rigorous client authentication in addition to standard user authentication. It should be a warning sign when hundreds of different users access an API from the same IP address.

We should demand more as we embrace this useful and promising technology. We need better notice from companies on how to work together to protect personal data. Ephemeral media companies must respect the trust they are inviting from us. As data security policy in the U.S. evolves, it must contribute to require contextually reasonable data security practices from companies.

Snapchat and “privacy lite” apps like it should resist blaming users and acting like it is just another social medium with respect to data security. People are attracted to these technologies because they seem less risky than services like Facebook, Twitter, or Instagram. These companies should work with their users to ensure their technologies live up to their promise.

I thank Ashkan Soltani for helping me with the technical aspects this story.

Published in: Publication , Other Writing , Privacy