The unique selling point for Snapchat – a USP that has proven very popular – is that it allows users to send friends a transient video or photo: the image is viewed and then automatically deleted. But researcher Richard Hickman discovered this month that Snapchat does not delete photos from the recipient Android device, as it claims to do, but merely hides them by adding a .nomedia file suffix (details here). Then on Thursday last week YouTube user Nick Keck posted a video showing him locating 'deleted' Snapchat videos on his iPhone. While Hickman used a forensics application to find the files on Android, Keck merely searched the iOS file system with iFile.
Keck claims it took him just a few minutes in his lunch break to find a video that he recorded on his iPad and sent from one Snapchat account he owns to another he owns and viewed on his iPhone. He viewed the video and it then disappeared, as claimed by Snapchat. But as with Android, it is not deleted on iOS - just filed away out of sight; but retrievable. Keck's YouTube video shows him doing this; and while he says he didn't have time to look for 'deleted' photos, he is convinced they will be there somewhere.
This, claims EPIC, is misrepresentation amounting to deceptive trade practices. It is urging the Commission to investigate Snapchat; to require the company to improve its data security practices ("specifically to ensure that photos and videos are in fact deleted such that they cannot subsequently be obtained by others"); and to require it "to cure any deceptive statements."
This will be difficult to achieve while still maintaining its existing USP. On Android, "All a person needs to do if they want to retrieve the file is find the .jpeg.nomedia file on their device and simply delete the .nomedia extension," explained Ken Garner, business development manager at BlackBelt to Infosecurity. "The only way to guarantee that the file has been removed from the device," he added, "is to use a data erasure tool."
But even if the file is successfully deleted – provided you know where to find it – it is still questionable whether Snapchat can genuinely claim the file has disappeared. "There will always be a way for someone to keep a temporary picture," continued Garner, "for instance by simply using the screen grab feature that is available on most smartphones. The general rule is that if something has appeared on a smartphone, it will always be retrievable, unless the device undergoes a full data wipe."
The case with the FTC may hinge around computing's definition of 'deleted'. Snapchat has some precedent. Operating systems have long had a 'delete' command that does not delete - it merely removes the 'deleted' file from the file system (that is, 'hides' it) and releases the space for re-use. Snapchat does half of this - it removes the file from the primary file system, but perhaps crucially it does not release the memory for re-use.