As Snapchat “hack” highlights, promises of privacy and security can be very dangerous

In the wake of this week’s apparent hacking of hundreds of thousands of Snapchat images via a third-party service, it’s worth revisiting some fundamentals about the scary business of security and privacy recommendations.

I’ve been paying a fair amount of attention to this scene in recent years, particularly after Edward Snowden’s mass surveillance revelations last year. One thing I keep hoping to do is to write a guide to safer internet usage — but so far, I’ve been too scared to do so. Above all, I’m terrified about giving someone inaccurate or overconfident advice that could get them hurt in some way.

Even something like PGP email encryption — technically speaking, a very secure mechanism — has potentially disastrous pitfalls. Correct usage takes place within strict guidelines that are in many circumstances difficult to follow, so the last thing I’d want to do at this point is to encourage someone who might be non-technical to try using it, certainly if they would be doing so to pass me sensitive information (this may change as smart people evolve the user experience). My correspondent might mess up as they navigate the complex key management process. To be frank, so might I — something I’m sorry to say, but there it is.

(If both parties definitely know what they’re doing, of course, then by all means use PGP. I’m still trying to figure out whether I should implement it for receiving tip-offs — unfortunately email inherently leaks metadata, even with PGP, and even encrypted conversations have to start with an unencrypted first contact.)

Use cases

The closest I’ve come to a how-to guide came earlier this week, when I posted some musings about the smartphone “privacy pouch” – a simple device that’s easy to use, technically speaking, but that could in some cases be misused. As a commenter pointed out to me in slightly over-strenuous terms, someone who knows they’re being actively monitored could be endangered if they use the pouch as infrequently as I suggested in my piece.

I countered that my advice was mainly meant for people who want to strategically drop off the radar every now and again, but that’s a specific use case. It’s true that in certain circumstances — say, someone being pursued by secret police in a nasty regime — you’d want to use the pouch on a near-constant basis (if indeed you’d have a phone on you at all.) Did I say that in my article? No, because I wasn’t exhaustively listing all possible use cases. That’s fair in a way, but I might potentially have been offering dangerous advice to one or two individuals.

Gigaom illustration

Gigaom illustration

The Snowden revelations continue to come, albeit at a slower pace than in 2013, and they’re joined by news of other dangerous vulnerabilities such as Heartbleed (affecting industry-standard web encryption) and Shellshock (affecting many things Unix-based). You and I never know what the next weak link in the internet security chain will turn out to be, and that makes it damn hard to recommend anything with certainty.

That’s not to say we should all give up: It’s better to try use the security and privacy mechanisms that are most likely to work, rather than to use none at all. Use a password manager and two-factor authentication! Encrypt what you can! But it does make the recommendations business a hair-raising one for someone — like myself — who wants the recommendations to be suitable for as wide an audience as possible, including non-technical types.

Snapchat hack

Which brings us back to Snapchat and this week’s apparent hack of a third-party service, which some Snapchat customers had been using to save supposedly self-destructing photos for repeated viewing. According to some reports, this service was quietly filing away copies of the pictures passing through its systems, and then someone else stole that trove. With the promised searchable database yet to appear at the time of writing, there’s still a chance it may all turn out to be an elaborate 4Chan hoax (some of the “proof” pictures that have appeared are old), but the scenario is technically plausible and Snapchat is treating it as a thing that happened.

Also, on Saturday someone who’s maybe the hacker said he’s realised releasing all this stuff would be a bad idea for everyone concerned:

Almost but not quite reassuringly, the writer of that anonymous post claims there is “little to no child pornography in this archive”. It seems others may have that archive too, though.

Going on the assumption that the hack occurred, or even just considering that it could, this both is and isn’t Snapchat’s fault. As the company stressed in response to the incident, its terms and conditions expressly forbid “Snapchatters” from using third-party apps to send or receive the service’s self-destructing messages, and the firm tries to stamp out these apps when it finds them. These apps are impossible to police definitively, due to the ease with which they can be distributed outside of the official [company]Apple[/company] and [company]Google[/company] app stores (arguably more so with Android than iOS), but it seems true that Snapchat is doing almost everything it can to combat the problem.

[pullquote person=”” attribution=””]Unfortunately, the ultimate weapon against this sort of abuse would be for Snapchat to not exist at all, because a service like that is inherently insecure.[/pullquote]
Unfortunately, the ultimate weapon against this sort of abuse would be for Snapchat to not exist at all, because a service like that is inherently insecure. Even if it managed to overcome problems such the ability of dodgy third-party apps to act as Snapchat clients, we’re still talking about pictures on screens. Quickly take a photo of the screen with another camera – boom, there goes your privacy mechanism.

Snapchat no longer promises its users that their photos will “disappear forever”, but that’s only because the U.S. Federal Trade Commission ordered it to stop doing so five months ago. Its users still know it as that app with the reliably temporary photos, and those that send sexual pictures over Snapchat trust that this mechanism will keep them safe from revenge porn, or the kind of nastiness we’re seeing this week. That level of protection is what the service is for – otherwise people wouldn’t use it. I wouldn’t recommend that they do, at least not with any false sense of security.

Claim caution

Snapchat bears some responsibility if it makes promises it can’t keep, no matter how hard it tries. That makes it somewhat disappointing to see the company try to shift the blame entirely onto those users who secretly saved the snaps they received – even though these users must certainly bear the majority of the blame, Snapchat’s inability to stop them, combined with the image it projects to vulnerable people (its users are largely young, remember), means the company must share some of the blame too.

The fact is, if you face a determined attacker – whether it be someone saving Snapchat images, or someone who knows how to exploit the weaknesses in a service like iCloud, or the NSA, or a stalker in the offline world – you’re in trouble.

That doesn’t mean it’s not worth taking defensive measures, as they can work against less competent or less focused attackers. But it does mean that those promoting defensive measures – whether they be security vendors, or “privacy app” marketers, or journalists like me – had better be extraordinarily careful about what claims they attach to their recommendations.