chose to find friends, Snapchat collected not only the user’s phone number, but also, without
informing the user, the names and phones numbers of all the contacts in the user’s mobile device
address book.
Finally, Count 6 of the complaint alleges that Snapchat misrepresented that it employed
reasonable security measures in the design of its find friends feature. Specifically, the complaint
alleges that for a certain period of time, Snapchat failed to verify that the phone number that an
iOS user entered into the application did, in fact, belong to the mobile device being used by that
individual. Due to this failure, an individual could create an account using a phone number that
belonged to another consumer, enabling the individual to send and receive snaps associated with
another consumer’s phone number. Additionally, for a certain period, Snapchat allegedly failed to
implement effective restrictions on the number of find friends requests that any one account could
make. Further, Snapchat allegedly failed to implement any restrictions on serial and automated
account creation. As a result of these security failures, in December 2013, attackers were able to
use multiple accounts to send millions of find friends requests and compile a database of 4.6
million Snapchat usernames and the associated phone numbers.
The proposed order contains provisions designed to prevent Snapchat from engaging in
the future in practices similar to those alleged in the complaint. Part I of the proposed order
prohibits Snapchat from misrepresenting the extent to which Snapchat or its products or
services protect the privacy, security, or confidentiality of covered information, including: (1)
the extent to which a message is deleted after being viewed by the recipient; (2) the extent to
which Snapchat or its products or services are capable of detecting or notifying the sender
when a recipient has captured a screenshot of, or otherwise saved, a message; (3) the
categories of covered information collected; or (4) the steps taken to protect against misuse or
unauthorized disclosure of covered information.
Part II of the proposed order requires Snapchat to establish and maintain a
comprehensive privacy program that is reasonably designed to: (1) address privacy risks
related to the development and management of new and existing products and services for
consumers, and (2) protect the privacy and confidentiality of covered information, whether
collected by Snapchat or input into, stored on, captured with, or accessed through a computer
using Snapchat’s products or services. The privacy program must contain privacy controls
and procedures appropriate to Snapchat’s size and complexity, the nature and scope of
Snapchat’s activities, and the sensitivity of the covered information. Specifically, the
proposed order requires Snapchat to:
designate an employee or employees to coordinate and be accountable for the
privacy program;
identify material internal and external risks that could result in Snapchat’s
unauthorized collection, use, or disclosure of covered information, and asses
the sufficiency of any safeguards in place to control these risks;
design and implement reasonable privacy controls and procedures to address
the risks identified through the privacy risk assessment, and regularly test or
monitor the effectiveness of the privacy controls, and procedures;