Snapchat – Great, Another Way to Destroy Your Brand
When I first saw the below interview on The Colbert Report with the Stanford Whiz Kids who created Snapchat, I remember thinking: “Great, another way for people to totally destroy their reputations…and their employer’s reputations…and school’s reputations…and on and on.
Don’t know about Snapchat? Read on.
What is Snapchat?
Snapchat is a photo messaging application developed by Evan Spiegel and Bobby Murphy as a project for one of Spiegel’s classes at Stanford University. Using the app, users can take photos, record videos, add text and drawings, and send them to a controlled list of recipients. These sent photos and videos are known as “Snaps”. Users set a time limit for how long recipients can view their Snaps, ranging from up to 10 seconds to as little as 1 second, after which they will be hidden from the recipient’s device and deleted from the company’s servers. Snapchat was launched in September 2011 in Spiegel’s father’s living room.
In May 2012, 25 images were being sent per second. As of 28 November 2012, users had shared over one billion photos on the Snapchat iOS app, with 20 million photos being shared per day. According to their blog in June, “Less than two years later, Snapchatters are sharing over 200 million snaps every day.”
Also in June 2013, Snapchat introduced Snapkidz for users under 13 years old. Snapkidz is part of the original Snapchat app, and is activated when the user provides a date of birth that reveals them to be under 13. Snapkidz allows children to take snaps and draw on them, but not send them to other users. Snaps taken with Snapkidz can be saved locally on the device.
On May 9, 2013, Forbes reported that the photos do not actually disappear, and that they can still be retrieved even after their time limit had expired with a minimum of technical know-how. A few days later, the Electronic Privacy Information Center filed a complaint against Snapchat with the Federal Trade Commission saying that the company deceived its customers by leading them to believe that pictures are destroyed within seconds of viewing.
One enterprising person even started a “Snapchat Leaked” website. As described in BetaBeat: “In case the hack of recovering supposedly deleted photos wasn’t enough to scare you away from Snapchat, then we found something even more terrifying. It’s called Snapchat Leaked (NSFW) and it confirms all of your horrifying nightmares about whatever naughty things you send on the app becoming public.”
In an excellent analysis on Sophos’ Naked Security Website on May 10, 2013, Paul Ducklin wrote a detailed article on the “perceived” deletion of data:
Clearly, Snapchat’s primary feature, if not its raison d’etre, is “managed risk”.
You can live a bit recklessly, Snapchat seems to be saying, because the snap disappears after your friends have looked at it.
In fact, the app description on Google’s Play Store goes one step further, promising disappearance for all eternity:
Snapchat is the fastest way to share a moment with friends.
You control how long your friends can view your message – simply set the timer up to ten seconds and send.
They’ll have that long to view your message and then it disappears forever.
We’ll let you know if they take a screenshot!
As fellow Naked Security writer Graham Cluley asked late last year, early on in Snapchat’s short history, “How do you reconcile ‘disappears forever’ with ‘if they take a screenshot’?”
After all, if the screenshot warning ever does come up (assuming the screenshot detector does its job), the one thing you can be sure of is that the image has not disappeared forever, or even at all.
That’s because the screenshot function creates a new image, not managed by the Snapchat application, and saves it where your friend is in complete control of it, rather than you or Snapchat.
So “disappears forever” is something of a bogus concept to start with.
But just how meaningful is Snapchat’s promise if you completely ignore the screenshot problem, or the taking-a-picture-of-the-screen-with-another-camera problem?
US-based computer forensics geek Richard Hickman thought he’d find out.
Be prepared to laugh (or cry – it’s not really funny): according to Hickman, “expired” Snapchat photos don’t disappear at all!
He grabbed a forensic image of a phone running Snapchat, found a directory called received_image_snaps and looked in it.
Both unviewed and expired images were still there.
If Hickman’s analysis is correct (and it certainly seems to be), Snapchat relies on two steps to make your images “disappear”:
It adds the extension .nomedia to the filenames, which is a standard Android marker that says, “Other apps should ignore this file. Do not index it, thumbnail it, add it to any galleries, or whatnot. Leave it to me.”
It adds a record to its own database to say, “The following image should be treated as though it doesn’t exist. Leave it to me, and I will pretend it has disappeared forever.”
Just as egregiously, Snapchat doesn’t even come close to guaranteeing that your images get deleted from its own servers once they’ve been delivered:
When you send or receive messages using the Snapchat services, we temporarily process and store your images and videos in order to provide our services. Although we attempt to delete image data as soon as possible after the message is received and opened by the recipient (and after a certain period of time if they don’t open the message), we cannot guarantee that the message contents will be deleted in every case.
So when you share that “ugly selfie”, where does it end up?
It’s stored on your phone, but you’d expect that because you took it, so that’s your lookout.
It’s stored on Snapchat’s servers, where it will probably be deleted once it’s been delivered, but not in every case.
And it’s stored on the recipients’ phones, from where it apparently won’t be deleted at all, though it will be marked “not for display,” which seems to be synonymous in Snapchat’s argot with “disappears forever”.
So whether it’s an image of one of your employees mocking hallowed ground, or documentation of an ill-advised night of questionable party behavior, it is going to surface, somewhere.
ConnectSafely, the non-profit Internet safety organization, has published a free six-page Parents Guide to Snapchat that advises parents on how their kids can more safely and responsibly use the service. There are also Parents Guides to Instagram and Facebook. But this is not just about kids; it’s about you, your company and its employees. Helping your employees educate their children may help them educate themselves, and help you manage risk more effectively.
If you’re not having regular conversations with your employees on the emergence of new social tools and how your employees are using these tools, you are not managing risk, you’re ignoring it, and “Denial is not a strategic plan…”