Slashdot Mirror

← Back to Stories (view on slashdot.org)

Snapchat Search Warrants Emphasize Data Vulnerability

Posted by Unknown on from the perils-of-centralization dept.

Nerval's Lobster writes "This year's revelations about NSA surveillance have upended the idea that our data—any of it—is truly secure from prying eyes. That uncertainty has sparked the rise of several businesses with a simple proposition: you can send whatever you want via their online service (text, images, video), and that data will vaporize within seconds of the recipient opening it up. One of the most popular of those services is Snapchat, which allows users to take "Snaps" (i.e., videos or photos) that self-destruct a few seconds after the recipient opens them; that data also disappears from the company's servers. But is 'disappearing' data truly secure from prying eyes? Earlier this week, Snapchat admitted to a loophole in its schema that leaves Snaps open to viewing by law enforcement — provided the latter shows up at the company's front door with a warrant. Until a recipient opens a Snap, it's stored in the company's datacenter. In theory, law enforcement could request that Snapchat send it an unopened Snap. 'If we receive a search warrant from law enforcement for the contents of Snaps and those Snaps are still on our servers,' read an Oct. 14 posting on Snapchat's corporate blog, 'a federal law called the Electronic Communications Privacy Act (ECPA) obliges us to produce the Snaps to the requesting law enforcement agency.' Law-enforcement entities have hit Snapchat with 'about a dozen' search warrants for unopened Snaps since May 2013. 'Law enforcement requests sometimes require us to preserve Snaps for a time, like when law enforcement is determining whether to issue a search warrant for Snaps,' the blog continued. That surveillance could also go beyond unopened Snaps: Snapchat 'Stories,' or a cluster of Snaps, live on the company's servers for up to 24 hours and can be viewed multiple times, which broadens the window for law enforcement to poke its way in."

15 of 105 comments (clear)

  1. So basically... by DiEx-15 · · Score: 2

    Snapchat hasn't been telling the truth to it's user base and stores private data longer than they claim to it's user base? That they do this so in case LE comes in with a warrant, they will have the info on tap for them?

    Is this a surprise to anybody anymore?

    1. Re:So basically... by gnasher719 · · Score: 5, Insightful

      Snapchat hasn't been telling the truth to it's user base and stores private data longer than they claim to it's user base? That they do this so in case LE comes in with a warrant, they will have the info on tap for them?

      No, they have been telling the truth. They store a picture until the recipient opens it. They have to, how else could they send the picture to the recipient? And the purpose is to be able to send the picture to the recipient when needed, not to preemptively gather information for the police.

      And a search warrant is a search warrant. Same as fifty years ago. The police gets search warrants to look for evidence against people suspected of crimes. Are you saying that Snapchat should think about whether information it has could be evidence against a criminal and hide it if it is? I'd say absolutely not. They should protect users' data against illegal access, but giving the information to police with a search warrant is absolutely legal.

    2. Re:So basically... by gandhi_2 · · Score: 4, Informative

      So basically the COURTS sign the warrants because of LEGISLATION that allows them to have this authority, and you should take issue with the Legistatures and Judicial bodies who exercise authority to tell companies what to do.

      It is all well and good that a company says they will do what they can, but all this authority comes from the laws and lawyers, not the server admins, not even the cops.

      --
      THL phish sticks
    3. Re:So basically... by suutar · · Score: 2

      sounds more like "If LE gets here with a warrant before we delete it, we have to give it to them. If they give us proper legal notice that they're working on getting a warrant, we have to keep it around until they get one. In absence of any notice from LE, it goes poof once the recipient has gotten it."

  2. Re:Just use RSA by stewsters · · Score: 4, Insightful

    Which sucks if you want to access it from your phone, your computer, and a computer at the library. I think that syncing the keys securely is somewhat challenging for your average user. Your browser would also need to be able decrypt with the key, and doing that from javascript in a secure way is challenging.

  3. Re:Court Order by Overzeetop · · Score: 4, Informative

    1) don't put yourself in a situation where someone wants a court order for something you have
    2) ignoring 1, don't send incriminating evidence electronically
    3) Ever
    4) If you're stupid enough to ignore 1-3, pass one time, strong passwords in person, then encrypt your files locally and send them by any means you aren't supposed to be using based on 1-3, above. Then destroy your copy of the password and the entire computer you used to create, encrypt, or send the message.

    Though, really, sticking with 1 and 2 is your best bet.

    --
    Is it just my observation, or are there way too many stupid people in the world?
  4. Re:Court Order by disposable60 · · Score: 4, Insightful

    Unfortunately, dragnets are wide and indiscriminate, and worse, definitions of wrongdoing are local and plastic.

    --
    You're looking for quotes? See my journal.
  5. Message security has to be end to end. by Animats · · Score: 4, Insightful

    From now on, all point-to-point message security has to be end to end. At no point in the middle can a message be plain text. The era of trusting service providers is over.

    We really need is a good way for people to publish their public key, in a place where tampering with it will be detected. Somebody needs to solve that problem.

    1. Re:Message security has to be end to end. by mlts · · Score: 2

      We have this technology... keyservers that replicate among each other. Someone's key that is deleted from one will remain on the others, and eventually gets propagated back. Keyservers are designed to copy and add data, never delete/remove items. So, a key that gets on there will remain there forever.

      Of course, if every keyserver gets compromised at the same time, that is an attack, but if one is left that still has the key on it, it will propagate the next replication session.

  6. The wrong approach? by Rigel47 · · Score: 5, Insightful

    How about instead of trying to duck and weave around the NSA we do it right and demand they dismantle their illegitimate spying apparatus? Remember the part about where the government is supposed to answer to the people?

  7. cloud is dead unless something changes. by nimbius · · Score: 2

    SaaS and PaaS are utterly useless for private citizens and will continue to be so long as their providers are willing to fellate even the most casual government agencies upon request for your personal data. To think this company has a solution that wipes data off their servers and off the client once the data is viewed, yet gladly withholds it until $agency can get its shit together and convince a judge to rubberstamp a warrant, is pretty damning as a business model.

    in the face of Everything as a Service, the constitution ends when you pick up your device. fifth amendment? thats certainly gone. first and second? only so far as theyre employed to ensure the rope is long enough to hang you. dont use one of these services? expect to be 'detained' randomly at an airport, train station, or bus terminal. And if you have the outright audacity to use any data encryption to protect yourself, expect your inquisitors to react much the same as they did to people like Moxie Marlinspike.

    --
    Good people go to bed earlier.
  8. Newspeak by dcollins117 · · Score: 5, Interesting

    a federal law called the Electronic Communications Privacy Act (ECPA) obliges us to produce the Snaps to the requesting law enforcement agency.

    Is it a rule now that every law has to be named to imply it does the exact opposite of what it actually does?

  9. Re:Court Order by PRMan · · Score: 2

    He didn't say that. He said don't do something they won't like.

    --
    Peter predicted that you would "deliberately forget" creation 2000 years ago...
  10. It's a big planet by SteveFoerster · · Score: 3, Interesting

    What I don't understand is why anyone runs any service with any sort of privacy angle from the U.S. There are freer countries with good Internet access. Pick one, and put all those U.S. subpoenas on the bottom of the birdcage, where they belong.

    --
    Space game using normal deck of cards: http://BattleCards.org
  11. Re:RetroShare by lister+king+of+smeg · · Score: 3, Informative

    RetroShare baby.

    I like retroshare. I have installed in my computers. the problem is; get everyone to use it call me when you have that one figured out.
    All the people I have talked to trying to get them to use it fall into one a of a couple of camps.

    1. they think that all encryption is somehow back-doored by the NSA/CIA/FBI/DOD/$InsertThreeLetterAgency anyway so it is a exercise in futility.
    2. they think they are too boring or have nothing to hide
    3. they think your tinfoil hat wearing paranoid.

    The media constantly actively attacks Snowden and Assange for being horrible "narcissistic treasonous traitor" and smear Manning for being Gay. Or plain Ignore the leaks.
    The politicians don't care or support spying.
    The spys lie to congress and nothing happens and worse get put in charge of their own oversight.
    The courts are conspiring with the spys. see fisa courts
    The corperations compete to see who can bend over the farthest, those that don't get destroyed see lavabit.
    And finally the people are either to apathetic ignorant or paranoid to do anything.

    whats a cryptogeek to do?

    --
    ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.