Snapchat, Facebook Poke and the Rise of Secure Messaging

At the end of December, Facebook reinvented the “Poke” by launching a new app with the same name. The idea was that, rather than make the “poke” a meaningless message you send to other users, it would be a more robust platform for sending temporary messages.

In that regard, Facebook was following the lead of Snapchat, a similar messaging service that currently is being used to swap some 50 million photos/videos per day.

But these aren’t mere photo sharing apps, both have put a high premium on privacy and security. They work in largely the same way, by introducing “immediacy” to photo sharing. You snap an image (or take a video), send it to one or more people on your friend list and the other person has between 1-10 seconds to view it before the image disappears.

These apps have been widely called “sexting” apps with many noting that they are ideal for sending nude or other sensitive images to other people. However, as others point out, that’s unlikely to be the sole or even the most common use of them.

But regardless of the content, this desire to protect images is understandable. With the rise of sites like Is Anybody Down? and even the recent Instagram TOS controversy, there’s obviously a lot of concern about how one’s images are going to be used online.

Whether it’s a nude photo appearing on an involuntary porn site or a sunset photo appearing in an advertisement for a hotel, there’s a clear interest in preventing shared works from reaching beyond their intended audience. But will these apps fix the problem? If recent history is any indication, the answer is a resounding “No”.

The Security of Secure Messaging

On the surface, it seems like these apps do a great deal to cover their bases. The picture sends and the other person has just ten seconds to review it before it is deleted forever. There’s no way to use a photo in your library, meaning that you have take the photo right then and there and it is not stored on your phone, meaning that the image is sent and it disappears from both phones.

Both Facebook and Snapchat offer explicit promises that your content is deleted quickly from their servers. Though there was some concern that Facebook’s terms were less clear, it has since said that it deletes the content’s encryption key after two days, making it impossible to be retrieved.

Though recipients can take screenshots of the images they get, an alert is sent to the sender that says the user did so. This means that the sender is at least aware that it happened and who did it (if there were multiple recipients).

However, that protection isn’t perfect. Some users seem to have found a way to prevent that message from being sent, though it requires the use of a jailbroken iPhone. On Android, a recently-patched security hole caused videos sent via Snapchat to be saved to the user’s gallery before it is viewed, making it accessible and savable before it’s viewed in the app.

But the worst breach to date involves the use of an iPhone and a file browser, which can easily locate sent files and save them to a computer, in some cases after they’re viewed. This flaw works in both Facebook Poke and Snapchat, something both services say they are going to fix.

In short, while these apps are very security-conscious and do a good job defending against ordinary users that may want to share your content without your permission, they are not and can not be perfect. This game will almost always be one of cat and mouse, the discovery of workarounds met by patches to block them. It may not be as intense or high-stakes of a game as malware authors or even traditional piracy/anti-piracy actions, but it’s already taking place.

This should have an impact on if and how you use those apps.

The Danger of False Security

There’s a simple truth when it comes to all forms of security, including content protection, if someone wants it bad enough, they’re going to get it. That includes Snapchat and Facebook poke content.

The most obvious problem is the screenshot one. Though Snapchat and Facebook Poke alert you that a screenshot has been taken, it doesn’t (and can’t) do anything to actually stop it. Knowing who saved the photo originally is likely pretty useless information that only lets you avoid sending future content to that person.

However, even if we ignore that necessary limitation, there are other problems. Neither of these apps can do anything to prevent someone from taking a second phone or camera and snapping an image and, as mentioned above, there are ways around the protections these apps provide. There will always be limitations.

To repeat, if someone wants your content bad enough, they will find a way to get it. It may not be obvious, it may not be ideal, but they will get it.

That being said, Snapchat and Facebook Poke are probably safe for their intended uses. If you’re sending a few private messages to your spouse or friends, you’re probably relatively safe.

Still, I wouldn’t use them to send highly valuable information, such as incriminating photos of you that could be used in a criminal or civil case. If the information is more valuable than your trust or would justify the time to find ways around the protections of these programs, sending it via this means (or any means) is still very risky.

In the end, the security is relative. Snapchat and Facebook Poke are definitely more secure than sending the content via MMS or email, but nowhere near as secure as simply not producing the content or not sharing it at all. The real risk of these applications isn’t any particular security hole, but that people will assume that they are completely secure and use it in risky ways.

Bottom Line

The problem, in reality, is not Snapchat or Facebook Poke. They are decent apps that are written for a purpose and, for the most part, do that job as well as can be expected.

The apps, if anything, are a symptom of the problem. As the excitement for the culture of digital sharing takes ramps up, there’s an equal and opposite reaction for fear. Fear of privacy, fear of infringement and fear of abused trust.

Those fears are understandable. We’re converting more and more of our lives into digital format and sending them via a variety of services to friends, family and strangers alike. There’s always going to be a concern as to what we are giving up as we are sharing.

However, while technology can help you, it can’t protect you from those fears. If you are worried about what you are sending getting into the wrong hands, the safest approach is to not send it. Trusting technology blindly to protect you is going to be a mistake and that is equally true if it’s Snapchat or whatever comes along next.

There are no simple answers and there never will be. The mistake is not in using the tools available to make you more secure, but in trusting them blindly.