27612
Federal Register / Vol. 79, No. 93 / Wednesday, May 14, 2014 / Notices
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
snapchatconsent by following the
instructions on the web-based form. If
this Notice appears at http://
www.regulations.gov/#!home, you also
may file a comment through that Web
site.
If you file your comment on paper,
write ‘‘Snapchat, Inc.—Consent
Agreement; File No. 132 3078’’ on your
comment and on the envelope, and mail
your comment to the following address:
Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue
NW, Suite CC–5610, (Annex D),
Washington, DC 20580, or deliver your
comment to the following address:
Federal Trade Commission, Office of the
Secretary, Constitution Center, 400 7th
Street SW., 5th Floor, Suite 5610,
(Annex D), Washington, DC 20024. If
possible, submit your paper comment to
the Commission by courier or overnight
service.
Visit the Commission Web site at
http://www.ftc.gov to read this Notice
and the news release describing it. The
FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before June 9, 2014. You can find more
information, including routine uses
permitted by the Privacy Act, in the
Commission’s privacy policy, at http://
www.ftc.gov/ftc/privacy.htm.
Analysis of Proposed Consent Order To
Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent order applicable to Snapchat,
Inc. (‘‘Snapchat’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Snapchat provides a mobile
application that allows consumers to
send and receive photo and video
messages known as ‘‘snaps.’’ Both the
iTunes App Store and the Google Play
store list Snapchat among the top 15
free applications. As of September 2013,
users transmitted more than 350 million
snaps daily. Before sending a snap, the
application requires the sender to
designate a period of time that the
recipient will be allowed to view the
snap, up to ten seconds. Snapchat
markets the application as an
‘‘ephemeral’’ messaging application,
and claimed that once the timer expires,
the snap ‘‘disappears forever.’’ Snapchat
represented, for a certain period, on its
product description page on the iTunes
App Store and Google Play and on the
‘‘FAQ’’ page on its Web site that snaps
disappear when the timer expires.
Snapchat further claimed that if a
recipient took a screenshot of a snap,
the sender would be notified. Snapchat
also provides its users with a feature to
find friends on the service, and prompts
users during registration to enter their
mobile telephone number in order to
find friends.
Count 1 of the Commission’s
complaint alleges that Snapchat
misrepresented that when sending a
message though its application, the
message would disappear forever after
the user-set time period expires. Count
2 of the complaint alleges that Snapchat
misrepresented that the sender will be
notified if the recipient takes a
screenshot of a snap. The complaint
alleges that several methods exist by
which a recipient can use tools outside
of the application to save snaps,
allowing the recipient to view them
indefinitely. Additionally, the
complaint alleges that widely
publicized methods existed by which
recipients could easily circumvent
Snapchat’s screenshot detection
mechanism and capture a screenshot of
a snap without the sender being
notified.
Count 3 of the complaint alleges that
Snapchat misrepresented in its privacy
policy that it does not access location-
specific information from consumers’
mobile devices. Contrary to this
representation, the complaint alleges
that for a certain period, the Snapchat
application on Android transmitted Wi-
Fi based and cell-based location
information from user’s mobile devices
to an analytics tracking provider.
Count 4 of the complaint alleges that
Snapchat misrepresented, for a certain
period, in its user interface that a user’s
mobile phone number was the only
personal information that Snapchat
collected in order to find the user’s
friends. Count 5 of the complaint alleges
that Snapchat misrepresented in its
privacy policy that it collected only the
user’s email, phone number, and
Facebook ID for the purpose of finding
friends. However, the complaint alleges
that when the user chose to find friends,
Snapchat collected not only the user’s
phone number, but also, without
informing the user, the names and
phones numbers of all the contacts in
the user’s mobile device address book.
Finally, Count 6 of the complaint
alleges that Snapchat misrepresented
that it employed reasonable security
measures in the design of its find
friends feature. Specifically, the
complaint alleges that for a certain
period of time, Snapchat failed to verify
that the phone number that an iOS user
entered into the application did, in fact,
belong to the mobile device being used
by that individual. Due to this failure,
an individual could create an account
using a phone number that belonged to
another consumer, enabling the
individual to send and receive snaps
associated with another consumer’s
phone number. Additionally, for a
certain period, Snapchat allegedly failed
to implement effective restrictions on
the number of find friends requests that
any one account could make. Further,
Snapchat allegedly failed to implement
any restrictions on serial and automated
account creation. As a result of these
security failures, in December 2013,
attackers were able to use multiple
accounts to send millions of find friends
requests and compile a database of 4.6
million Snapchat usernames and the
associated phone numbers.
The proposed order contains
provisions designed to prevent
Snapchat from engaging in the future in
practices similar to those alleged in the
complaint. Part I of the proposed order
prohibits Snapchat from
misrepresenting the extent to which
Snapchat or its products or services
protect the privacy, security, or
confidentiality of covered information,
including: (1) The extent to which a
message is deleted after being viewed by
the recipient; (2) the extent to which
Snapchat or its products or services are
capable of detecting or notifying the
sender when a recipient has captured a
screenshot of, or otherwise saved, a
message; (3) the categories of covered
information collected; or (4) the steps
taken to protect against misuse or
unauthorized disclosure of covered
information.
Part II of the proposed order requires
Snapchat to establish and maintain a
comprehensive privacy program that is
reasonably designed to: (1) Address
privacy risks related to the development
and management of new and existing
products and services for consumers,
and (2) protect the privacy and
confidentiality of covered information,
whether collected by Snapchat or input
into, stored on, captured with, or
accessed through a computer using
Snapchat’s products or services. The
privacy program must contain privacy
VerDate Mar<15>2010 18:25 May 13, 2014 Jkt 232001 PO 00000 Frm 00043 Fmt 4703 Sfmt 4703 E:\FR\FM\14MYN1.SGM 14MYN1
emcdonald on DSK67QTVN1PROD with NOTICES