Snapchat’s recent ‘hack’ is a curious creature, because it is (mostly) a direct consequence of the semantics which Snapchat reveals in its UI to every user. Less of a security violation and more like pointing out that license plate numbers are a privacy issue because everybody can read them (with one exception, which I’ll get to). But unlike license plates, Snapchat can change their semantics whenever they want, and should do so. Let me explain.
When you first sign up for snapchat it pulls in your entire phone book and lets you add them to your friends list (Note to everyone else making new messaging apps: Peoples’s list of real friends is still their phone contacts). This requires no permission from the people you’re adding. Not only does it reveal to you their phone numbers, it also shows their Snapchat usernames, and lets you look at their ‘best friends’ list. That last one is especially curious. Best friends is the list of people you’ve been you’ve been chatting with most recently. It defaults to having 3 spots, with the option to change it to 5 or 7, which nobody does, and there’s no obvious way of removing it completely. This is the bizarre irony of Snapchat’s privacy features. It meticulously destroys all images you’re trading with other people immediately, but lets anyone who has your phone number see that you’ve been doing it with hornyslut6969.
Allowing that much information to be seen without a user’s permission is especially bizarre in Snapchat because it has such a strong bidirectional concept of friendship. The default is to only allow people you’ve added to send you messages, and most people leave that. It even lets you know that a messages to someone is ‘pending’ if you send it prior to them adding you back, meaning that they’ll get it when (or more likely if) they add you. (The UI really doesn’t make clear what ‘pending’ means. Snapchat feels like it’s succeeded more by accident than design.)
One could argue that the person whose information is being viewed can at least see that someone else has added them if the standard UI is being used, but there’s no proactive notifications of that and the viewer can simply remove the person before they notice. Aside from which, I’m not a fan of privacy through user interface obfuscation.
The ‘leak’ that we have now is an association of phone numbers, snapchat logins, and approximate geographic locales. The first two parts, as I’ve said above, are already easy to look up, by design. But the locale information isn’t in any obvious place in the UI, and it being available via the API should be viewed as a real security issue.
So what should Snapchat do to fix the problem? As I said at the beginning, they need to change their actual semantics, including their basic UI. The logical way to do this is by making it so that your personal information is only sent to people you add as friends. This wouldn’t be an impediment to friend relationships getting formed, because when you add someone it tells them and encourages them to add you back. It also wouldn’t cause any UI confusion, because when you’ve added someone the main human readable name shown is the one pulled from your local phone book, which of course identifies them just fine. All sensitive info, including the user’s snapchat id and their best friends, should be hidden until and unless they reciprocate the friend add. I don’t think the fact that the person has a Snapchat account at all is a sensitive piece of information.
Undoubtedly this would be a significant amount of work for Snapchat to do, but given the recent bad PR, and how generally icky the information leaks are to begin with, it would be clearly worth it.