Let’s recap. In August, a security firm called Gibson Security warned Snapchat that there were loopholes in its code that left its users’ personal information vulnerable to hackers. Snapchat didn’t respond.
Frustrated, Gibson Security published Snapchat’s programming interface publicly on Dec. 25 and explained how hackers could exploit it. Two days later, as security blogger Graham Cluley points out, Snapchat responded with a blog post downplaying the problem as “theoretical.”
On New Year’s Eve, hackers went ahead and took advantage of the loopholes Gibson had pointed out. They set up a website called snapchat.db, to which they posted a database containing the user names and (partially redacted) phone numbers of some 4.6 million Snapchat users. Snapchat responded with a second post decrying the “abuse” of its Find Friends feature and, finally, promising an app update that it said would fix some of the problems. It also for the first time set up an email account at which people could contact it directly with future security problems. (Snapchat makes itself notoriously inaccessible to the public and the media.)
As of this morning, the company had written more than 500 words about its failure to protect users’ data, and not one of them was “sorry.” Instead, co-founder and CEO Evan Spiegel went on the Today Show—and blamed basically everyone but himself.
“We call it abuse. A tool that we developed to help Snapchatters find their friends was used by someone to find the usernames of people that weren’t their friends,” Spiegel whined, displaying a weasel’s command of the passive voice. He proceeded to explain that “technology businesses in general are susceptible to hacking” and that his solution was to “work really, really hard with law enforcement, with security experts.” As the Washington Post’s Brian Fung has pointed out, Spiegel’s repeated emphasis on “law enforcement” implies that “what they think is most important is catching the culprits.” Ironic, since the “culprits” in this case seemed to care more about getting Snapchat to fix its security holes than Snapchat itself did.
Spiegel wasn’t finished. Asked why he ignored the repeated warnings from Gibson Security, he instead focused on justifying his continued refusal to apologize. “I believe at the time we thought we had done enough,” Spiegel said. “But in a business like this, in a business that’s moving so quickly, if you spend your time looking backwards you’re just going to kill yourself.” In other words, if you ask Spiegel, “Would it kill you to take a little responsibility here and apologize?”, his answer is, “yes.”
Snapchat apologists defenders point out that the information the hackers obtained wasn’t that damaging: just user names and phone numbers. They’re right: What’s really worrying is the company’s blasé attitude toward security breaches. Remember: The whole reason people use Snapchat is because it’s supposed to be private. Spiegel seems to think that his company is entitled to its users’ trust, rather than being responsible for earning and upholding it.
Entitlement and irresponsibility are not traits I would attribute to someone just because he’s a 23-year-old Stanford frat boy and “certified bro” who dropped out and now runs a $3-billion company. No, it’s Spiegel’s actions that suggest he might not be the guy you’d most want guarding your most intimate photos, videos, and personal messages.
Previously in Slate:
