On a recent night, scores of Snapchat users got a rude awakening: Hackers released at least 100,000 of their private and sometimes titillating photos and videos online in an event dubbed the “The Snappening.” The mobile messaging app has gained legions of fans by promising to destroy users’ content seconds after it is seen by the intended recipients. Instead, hackers got to it.
Here’s where the story gets more complicated: The hackers didn’t get the messages from Snapchat’s servers. Rather, a third-party app called Snapsaved — which allows users to save photos and videos from Snapchat in an online storage locker — confirmed on its Facebook page that hackers had accessed its servers and leaked the stored content to the web. Many Snapchat members had been using Snapsaved to retain disappearing messages. More troubling is that the exposed content is thought to include images of minors; half of Snapchat’s 30 million users are 13 to 17 years of age, according to Digiday.
Earlier this year, Snapchat’s own servers were attacked. In January, hackers exposed 4.6 million user names and phone numbers. Four months later, the U.S. Federal Trade Commission said it settled charges that Snapchat “deceived consumers with promises about the disappearing nature of … messages sent through the service,” as well as how adequately the company guarded its data. Snapchat said on its blog that the company has corrected its communication with users to make it clearer that while their messages are deleted on company servers, other users can take steps to save them. Snapchat did not admit violation of any law.
Snapchat’s case illustrates the complexities of assigning liability on the Internet when apps, networks and servers are increasingly interconnected. The FTC went after the company when the breach occurred on its computers. But in the case of a leak caused by a third-party app getting hacked, the issue of Snapchat’s liability is less clear. The legal dilemma posed by Snapchat and Snapsaved is particularly relevant at a time when Google, Facebook, Twitter and other tech companies routinely share some of their code, programs and data with outside developers to encourage the creation of apps that drive traffic back to their sites.
“Always assume your data can show up somewhere.” –Shawndra Hill
What makes it worse is that while tech companies do take steps to rein in the access of third-party developers by putting restrictions in their terms of service agreements — including how long the third party apps can store users’ data on their servers — many do not enforce those policies. “It’s important to be aware of how that data is being collected and used by third parties,” notes Shawndra Hill, Wharton professor of operations and information management. “I see people violate terms of service agreements all the time.” Hill also discussed the issue of how consumers can protect their privacy recently on the Knowledge at Wharton show on Wharton Business Radio on SiriusXM channel 111. (Listen to the podcast at the top of this page.)
Unless companies keep all the data on their own servers and grant access only to users — and barring any kind of hacking — preserving privacy will be difficult, Hill says. Consumers must be realistic about how private they can be online. “Always assume your data can show up somewhere,” she adds. Some people naively believe they are not interesting enough to be hacked, Hill notes, but most can come up with one or two people, such as a scorned former flame, who might want to use an embarrassing photo or other personal information against them.
Even if users take steps to protect their privacy, the security leak could come from friends who will post the information somewhere. “Even if you don’t share your personal data, there are other people sharing data about you,” Hill says. You can do it to your friends as well, if you use an app that gathers data from your phone contacts. “Sometimes when you sign on to these apps, they may not only collect your information but also link to all of your friends,” she points out. LinkedIn is one example of a service that can access all your contacts.
That is why companies with “significant” online operations have to keep data security in mind at every stage, especially for apps such as Snapchat that depend on the degree of trust users have in its ability to keep information private, notes Kevin Werbach, Wharton professor of legal studies and business ethics. “If technically the vulnerability comes from a third party application, and legally Snapchat is protected by its terms of service, it [still] has to be careful about gaining a reputation as an insecure service.”
But even if a company’s protections against hacking are “completely sound,” which they rarely are, human error could compromise that security, Werbach adds. “So companies like Snapchat need to think about robustness rather than just security: What plans and systems do they have in place to minimize the damage caused by hacks, and to respond quickly and effectively when they happen?” While companies have “too much” power to hide behind their terms of service to disclaim liability, “that alone isn’t necessarily enough protection against the fallout if something goes wrong,” he says.
Hacking and the Law
In the most recent breach, Snapchat has sidestepped responsibility since it was another company’s servers that were hacked. “Any application that isn’t ours but claims to offer Snapchat services violates our Terms of Use and can’t be trusted,” Snapchat said in a blog post. “When you give your login credentials to a third-party application, you’re allowing a developer, and possibly a criminal, to access your account information and send information on your behalf.”
“Even if technically the vulnerability comes from a third party application, and legally Snapchat is protected by its terms of service, it has to be careful about gaining a reputation as an insecure service.” –Kevin Werbach
While Snapchat keeps its application programming interface, or API, private, many other companies have public APIs, Hill says. If public, these APIs, which comprise a set of programming standards and specifications, give outside developers a certain amount of access to a database and programs. For example, the creator of a travel app who wants to add mapping functionality to its service could access the public API of Google Maps. Some tech companies ask third-party developers to pay in order to access their APIs, Hill notes. Snapchat only lets its internal developers access its API so unauthorized outside apps like Snapsaved have to reverse engineer the app to get it. Snapchat said in a blog post that it is asking Apple and Google to remove third-party programs for the messaging service from their respective app stores following the latest data leak.
Christopher Yoo, a professor of law, communication and computer and information science at the University of Pennsylvania Law School, points to similarities between the Snapchat-Snapsaved situation and the Target hacking attack, one of the largest data breaches on record affecting 40 million credit and debit card numbers. Both cases involved third-party breaches. Hackers gained access to the retailer’s systems by stealing log-in credentials of an outside vendor, not from Target directly. The retailer is being sued by scores of banks, consumers and shareholders.
On the government’s side, the lack of clarity in federal standards around data security is a problem for law-abiding companies. “There’s a great deal of uncertainty here,” Yoo points out. Even one of the FTC’s administrative law judges has said that the government needs to provide clearer direction on its data security rules, he notes. Thus far, the FTC has brought several actions based on charges of “unfair trade practices,” but people complain that this category is too vague. Such legal uncertainties could motivate companies to write indemnification clauses into contracts for protection and winnow out partners they do not trust, Yoo says, adding that doing so could slow down investment.
As for an app’s terms of service — the agreement most people hurriedly click through without reading when signing up for a new account — it does not necessarily protect the company. “There are times when the law will look past that,” Yoo says. For example, a retailer can include a clause in its contract with delivery drivers that they are banned from getting into vehicular accidents. “But it’s foreseeable that accidents are inevitable,” Yoo points out. “So the contract cannot protect the company from saying it’s the driver’s fault.”
Chip Becker, a lecturer at the University of Pennsylvania Law School, adds that the doctrine of “unconscionability” could supplant a company’s terms of service agreement with users. If the agreement is supremely unjust or grossly one-sided, a court could throw out parts of it — or the whole thing. But Becker, who also is a partner at the law firm of Kline & Specter, says unconscionability is a “very high” standard to reach and goes far beyond a firm simply “being unfair.”
How a company presents its terms of service to users also affects the enforceability of its policies, Becker notes. If the company requires users to click through it page by page, then the firm can make a stronger case that people should be reasonably aware of its terms. In contrast, a “pop-up” agreement might not hold up as strongly in court, he adds.
“The law proceeds incrementally, case by case, story by story, decision by decision.” –Chip Becker
A close look at Snapchat’s terms of service shows to what extent the company wants to restrict its liability. For instance, users who agree to the terms must arbitrate any claims instead of going to court. But if the matter does end up in court, the case must be filed in Los Angeles County and is bound by the laws of the state of California. The terms also say that if Snapchat was found liable, its liability cannot exceed $1. Becker says the company added a “hold harmless” clause as well, meaning it is not responsible for anything that happens in the use of its service.
Expense vs. Embarrassment
Consumers whose data were compromised could try to sue the tech company they hold liable, but users traditionally have not prevailed in court. However, “that may be changing,” Yoo says. Snapchat users could try to claim breach of contract, since the company did not come through with its promise of privacy, but then its own servers were not affected. As such, Snapchat has a “pretty fair argument that if users didn’t use Snapsaved, this would not have happened,” Becker notes.
According to Becker, it is unclear whether individuals will prevail even if they do risk a lawsuit. If photos were leaked, it has to be determined how the breach harmed users financially. “The harm suffered by a person will depend on what has been exposed and the degree to which the image has been distributed,” he says. Celebrities could have an easier case claiming damages if their reputation is tarnished by a leaked photo that led to the loss of acting roles and thus income. Indeed, Google is being sued for more than $100 million by an attorney representing more than a dozen actresses whose personal photos were stolen and posted online.
“It may not be worth it for people who aren’t in the public eye to pursue legal action, or for lawyers to take on such cases,” Becker says. “It’s very embarrassing; it’s very painful, but it’s also very expensive to file a lawsuit.” One could file a class-action lawsuit, but certification is quite difficult to get, he adds.
In the meantime, case law on data security will continue to develop and eventually catch up. “The law proceeds incrementally, case by case, story by story, decision by decision,” Becker says. “Over time, our legal doctrines will evolve to incorporate and provide a structure for answering these questions.”