Snapchat’s Non-Vanishing Message: You Can Trust Us
A rare interview with Snapchat tech executives about a transparency report, a bug bounty program, a third-party app ban…and apologies
The last 12 months have been pivotal for Snapchat, the four-year-old messaging service known for making its posts disappear. Its Snapchat Stories (aggregating a user’s images of a day or event) now generates more images than its core messaging function. It has built-in video chat, advertising and even a feature that lets users send money to each other. With its Discover program, it has forged partnerships with some of the world’s most powerful media organizations. Its most recent funding round valued the company at $15 billion. And little by little, people over 35 are realizing that Snapchat is not just about sexting, but that the 800 million Snaps sent every day are instead a primary form of keeping contact with close friends.
So it stands to reason that it’s time for Snapchat to make a statement that it is a company to be trusted.
The very nature of Snapchat is shaped by a single, definitive feature: messages vanish, 10 seconds or less after the recipient views them. A spokesperson says it succinctly: “Deletion by default is the core of the company.” For many young people who felt burdened by the idea that their exchanges on other services might follow them for life, Snapchat’s ephemerality was liberating.
But when it comes to trust, the company has some history to overcome. In Snapchat’s brief existence, it has been cited by the FTC for misrepresenting its privacy practices, left user information exposed to intruders, and failed to prevent third-party applications from making it all too easy to archive Snaps, a perversion of the spirit of the service. The latter failure led to “the Snappening,” where a malicious hacker accessed thousands of private photos stored on a third-party application that Snapchat had failed to block. None of this flattened the company’s hockey-stick growth pattern, but Snapchat found itself on the outs with the privacy community. Last year when the Electronic Frontier Foundation published its annual “Who Has Your Back” rating of Internet services, Snapchat finished at the bottom.
Today, Snapchat is promoting a different narrative, that of a responsible enterprise with a world-class security team. To back up this claim, it’s announcing three developments in its effort to improve security, bolster its privacy protections, and engender trust.
A transparency report. For the first time, Snapchat joined companies like Google, Facebook and Yahoo in reporting the frequency of requests for user content and information from law enforcement and national security agencies. The volume of requests is relatively low: 375 total asks between November 2014 and February 2015, affecting 666 accounts. Many requests yielded no data, and apparently the bulk of the requests resulted not in message content but metadata, such as whom the targets exchanged Snaps with. Snapchat says that in some cases it successfully narrowed the scope of specific requests.
An expanded “bug bounty program.” Building on a previously private effort, Snapchat is now enlisting coders across the globe to find vulnerabilities in Snapchat that could compromise its security. To reward their efforts, Snapchat will give cash to those who discover such flaws, the payment varying according to the severity of the bug.
A complete shutdown of third-party apps. In order to protect its users, Snapchat does not publish or allow access to its APIs; nonetheless, third parties have found their way in and offered apps that compromise privacy on Snapchat in the guise of added functionality. For months Snapchat has been making it harder for outsiders to write such apps; now it has introduced new techniques that it hopes will shut the door decisively.
To this list you can add a fourth element. For the first time, Snapchat made its key privacy and security executives available in an interview to outline the company’s commitment to protecting its users, and to explain how far they’ve come. They also acknowledged and apologized for the glitches, errors and omissions that have stained the company’s record thus far.
Snapchat’s co-founder and CEO Evan Spiegel knows that if Snaps were as routinely archived as Facebook posts or SMS messages — or if intruders were able to easily pick them off — his vision of carefree communication would be in peril. So early on he sought to recruit highly experienced hands in infrastructure. In August 2013, longtime Amazon engineer Tim Sehn became Snapchat’s eighteenth employee. Sehn had worked for Amazon since early 2001, rising from an intern to a director. At one point Sehn was responsible for the performance of Amazon’s flagship retail website. In early 2013 he’d been in charge of maintaining Amazon Web Services. That’s when Snapchat came calling.
Sehn’s job involved all of Snapchat’s infrastructure, but he quickly learned that he would face unusual challenges in terms of security. The week before he joined, Snapchat was reeling from a publication in a security journal that described how its API worked. This information allowed third-party developers to build on top of Snapchat, creating apps that not only introduced a gateway to spam but allowed practices that violated the company’s terms of service — particularly in allowing users to routinely archive Snaps. “Almost every security issue we’ve had since I’ve been here has been related to API abuse,” he says.
But in 2013, there were other issues regarding trust, notably a complaint to the FTC that Snapchat was misleading users by claiming that Snaps always disappeared after viewing. (The exception Snapchat cited was when a recipient took a screenshot, whereupon the sender would be notified of the capture.) In fact, in some versions of the iPhone operating system, the Snaps weren’t actually deleted but simply renamed; savvy users could retrieve them. Also, many users wound up saving Snaps on those aforementioned third-party apps. This led to a full-blown FTC investigation.
As Snapchat explains it now, the agency’s concerns were mainly about language, not any flaws in the service itself. “The FTC’s principal focus was the app store description, written when the founders were back at Stanford,” says Micah Schaffer, a policy and governance expert who joined Snapchat in 2013. (In an earlier job, he had been in charge of policy for YouTube.) At that time, he says, Spiegel and co-founder Bobby Murphy had no idea that the service would be so popular that a cottage industry of rogue third-party apps designed to save Snaps would emerge. Because the app-store description failed to capture the nuances of Snapchat’s ephemerality, the company says, the FTC regarded it as misleading.
Marc Rotenberg, the head of the Electronic Privacy Information Center (EPIC), which brought the original complaint, considered it a more serious breach. “It was a deceptive practice,” he says. “This was the whole basis of their service offering. If you say your message will vanish, then your message has to vanish. Otherwise you’re lying.”
That settlement came in May 2014, but as its security and policy teams now explain, they were hard at work securing the system long before that. At the end of 2013 Snapchat began experiencing severe spam attacks, where malfeasants would target users and employ their accounts to send Snap-spam. “At the time, we didn’t have the basic tools to manually deal with a spam problem, so we started working seven days a week, around the clock, to implement defenses,” says Sehn. The moment was transformative for the company, as it devoted 10 percent of its resources to the problem. As security became a high priority at the company, that 10 percent is now standard — both in the form of a beefed-up team dedicated to security and in engineers within product teams working on such problems.
As 2013 ended, though, Snapchat’s anti-spam initiative became more complicated as some enterprising hacker figured out a way to pair the names and phone numbers of four million Snapchatters. In retrospect the hack could have been prevented. Snapchat identifies users by phone numbers, and the intruder simply found a way to test out many millions of random numbers to see if they matched users. (The hacker took advantage of Snapchat’s “Find Friends” function, which lets users discover their contacts on the service by typing in their phone numbers.) On the eve of the new year of 2014, Sehn and his team learned that those millions of paired user names and numbers had been published on the web.
Dealing with that crisis required an even bigger engineering effort. “We got all hands on deck to work on this problem for two weeks, just to get our spam-abuse house in order,” says Sehn. Snapchat implemented not only short term fixes, but crafted a long-term plan that employs “IP rate limiting,” an “automatic and aggressive” scheme that monitors input into the service. When Snapchat detects suspicious activity, it shuts down the Internet neighborhood where the threat originates, even at the risk of affecting innocent users. “We were willing to cause a little bit of collateral damage to regular users to prevent the vast majority of spammers from taking us down from an abuse perspective,” says Sehn.
(Snapchat also benefits from a close relationship with Google, which hosts Snapchat’s operations on its cloud. Snapchat is now the biggest customer of Google App Engine, and will be for the foreseeable future.)
Sehn does have regrets from the Find Friends exploit, which became part of the aforementioned FTC settlement. (Technically, the agency charged Snapchat with misleading users by claiming that it took reasonable measures to protect user information, a promise the FTC found spurious.) “I think one of the mistakes was not apologizing quickly enough,” he says. “So I want to apologize to our users.”
After that episode, Snapchat started a search for a top security executive. In April 2014, Jad Boutros filled that role. Boutros came from Google, where his most recent job was maintaining security for the company’s entire social layer, including Google Plus. Boutros immediately launched a series of in-depth security reviews. “It wasn’t hard to come up with a huge list of improvements,” he says. (He emphasized that this is not an indictment of previous practices, but a need for the highest standards.) In addition to securing the code base, he initiated formal protocols to integrate security design into all the engineering teams, building what he calls a “culture of security.”
It wouldn’t be easy. Not long after he joined, Snapchat suffered another big spam attack. Boutros set up a war room to deal with spammers. “We went from a bad situation, to where it’s very, very difficult for spammers to create accounts,” he says.
All throughout, Snapchat’s biggest security problem remained — outsiders who figured out how to access the company’s supposedly secret APIs, and then inserted spam or created third-party apps. Some of those apps offered users a way to violate Snapchat’s terms of service by capturing and archiving Snaps routinely. When one of those apps, called Snapsaved, was hacked, the perpetrators posted over 90,000 picture and videos online. Even though Snapchat itself wasn’t directly victimized in what was dubbed The Snappening, Snapchat admits that the company should have been more proactive in stopping third-party services. And in our meeting, the executives reiterated their apology for that incident.
Now, says Sehn, Snapchat is doing much more to pull the plug on third-party apps. This week’s announcement that the APIs have been fortified — enough, in fact, to fix the third-party problem — is less a binary switch than an acknowledgement of an ongoing effort. Just check the iTunes App Store to see what users of those now-endangered third-party apps are saying. In reviews of SnapCrack, which promises to “save all the snaps you get from friends,” commenters are frustrated that the app they bought for $5 wasn’t working. “This app used to be the best,” wrote one reviewer on the iTunes App Store. “And now for the past few days it keeps saying it can’t connect to the Snapchat server. An update is needed, something, anything!”
Snapchat not only works with Apple and Google to try to block apps in their stores that violate Snapchat’s terms of service, it also started cracking down on users who install such apps. First comes a warning, and then, if the user persists in employing the third-party app, Snapchat will lock the account. Snapchat hopes that these measures will no longer be necessary, since it now feels it has fortified its platform to repel all the piggy-backing apps. (And you can’t get around this by using an earlier version of Snapchat; the company now requires users to upgrade to the current version of the app.)
“We never wanted third-party apps on our platform,”says Sehn. “We have created a product where it is more critically important than ever before that we control the end user experience. We’ve made commitments to our users.”
Snapchat, though, chafes at that characterization of the company. While affirming that Snapchat lives up to its obligations to users, its executives prefer that we not view Snapchat as a “privacy service,” but a fun and diverting means of communication.
Even conceding that point, some privacy activists complain that Snapchat still has a way to go. Their biggest complaint is that Snapchat does not employ “end-to-end” encryption. Implementing end-to-end would mean that from the minute someone produces a Snap until the instant a recipient sees it, the image or video is scrambled in such a way that no one can view it — not even Snapchat itself. Many of the major messaging companies (notably Apple) have adopted this practice, much to the ire of the FBI and other law enforcement and national security agencies. “This is the responsible way to deploy a messaging service in 2015,” says Christopher Soghoian, principal technologist of the ACLU.
Snapchat says it has no current plans to implement end-to-end encryption. But it does cite with pride the progress it has made, and now, having owned up to its shortcomings, it feels confident enough to claim that its privacy and security practices can stand up to scrutiny.
“On spam and abuse we are slightly worried that we have put our own team out of business [because they’ve shut down third-party apps so effectively],” says Boutros, only part jokingly. “So it’s a question of retooling, and starting to think proactively about where new forms of spam and abuse will come in.” Meanwhile, the constant work of tightening the code against attackers continues, both inside the company and now outside. “That is why we are opening up our bug bounty program, so our security team can hear more feedback,” Boutros says.
Speaking of bugs and features, Snapchat believes that its security practices belong in the latter bucket. “We actually consider it a competitive advantage that we care that much about users’ privacy and security,” says Sehn. “We care enough to delete their data. That is something that most companies don’t do because that data is valuable. It costs us something to do that. So it’s definitely part of the ethos that has been there since the start.”
Photos by David Walter Banks