Back in November of 2013, Snapchat, the popular image and video sharing application spurned a $3 billion offer from Facebook. Facebook, losing ground among teens, is eager to purchase services that appeal to this audience. Though the offer was clearly way above Snapchat’s market value, in made sense in Facebook’s portfolio. Fast forward to Christmas 2013 and Gibson Security, a white hat security firm, releases code that reverse engineers Snapchat’s API to potentially pull the entire database of Snapchat users in less than a day. Fast forward a few days later and some hacker does just that. Now, its not like Snapchat wasn’t aware of the potential. In fact, Gibson Security warned them of the potential problem months earlier! Snapchat blithely ignored them.
Did Facebook narrowly miss another privacy faux pas?
If the had acquired them, what would the ramifications had been under their FTC consent decree?
There are two lessons to be learned from this incident.
Lesson 1: People (even teens) want privacy!
Snapchat provides limited functionality beyond what most smart phones can do. It allows you to snap pictures (and video), add a comment and then send it to friends. Guess what, almost every smart phone has MMS (multimedia messaging service) capabilities. So what did Snapchat add? The illusion of privacy. That’s right, I said illusion. Why is that? First off, the major selling point of of Snapchat was the fact that “snaps” you sent were ephermal and would be deleted from the recipient’s phone within a few seconds after receipt. This is why people people flocked in the millions to Snapchat, not to replicate the existing functionality of the phone but for the perceived privacy benefits of using Snapchat rather than relying on the end user to delete your picture voluntarily. I say this was an illusion because with another simple App….SnapCapture, the recipient could preserve the picture you sent. Equally importantly, Snapchat didn’t actually delete your images. Furthermore, Snapchat has the ability to intercept data for law enforcement prior to the recipient opening the image. At least they don’t save the images on their server after they been delivered.
Bottom line: Consumers want privacy but most services fail to deliver it.
Lesson 2: Do you privacy due diligence.
“Snapchat has raised about $73 million in funding to date from investors including Lightspeed Venture Partners, Benchmark Capital, Institutional Venture Partners, SV Angel and General Catalyst Partners.” — USA Today. I understand that most App developers and small business have more to focus on than privacy. They have to build their product, make it work, market it, grow it, etc… However, that is NO excuse when you start getting in the big-time and raise millions of dollars from investors. Privacy is a risk. It is a legal risk. It is a compliance risk. It is a MARKET risk. If you’re going to base your product on provide people privacy, you better be damn sure you provide people privacy. History is replete with failed security and privacy products. Even more on the hook is the investors and venture capital firms. Where were they in their due diligence? Did they completely ignore privacy and security? Were they blinded by the astounding growth in Snapchat’s user base and the faux privacy it was offering?
Fortunately, if you’re reading this, you may have an advantage. If you’re considering investing in a startup or growth company, get a privacy and security due diligence analysis done. Enterprivacy Consulting Group can examine the market, the application, the regulatory environment, the customer demographics and provide you a full analysis. Not necessarily to stall your investment but to make sure they are on the right track and won’t end up the next Snapchat.