On Sunday, malicious hackers released on the Internet images culled from Snapchat, the popular photo messaging service, that they had pilfered from a third-party service designed to store Snapchat’s ephemeral images. (The third-party service, it should be noted, was not authorized by Snapchat.)
Though Snapchat has built its name on prurient messages—why else would you want them to self-destruct?—the reality is that most of the images it transmits are banal at best. Nonetheless, Snapchat’s user base skews teenage, putting any potential hacker on the hook for violating U.S. child pornography laws.
Which prompts the question: Why would anyone want to hack Snapchat? Previous high-profile hackings in the news this year involved personal data, intellectual property, and other assets (e.g. personal photos of celebrity figures) that could lead to financial gain, strategic leverage, or notoriety.
None of that seems to be at play with what some people have dubbed “The Snappening.”
To get a better understanding of possible motivating factors at play, Fortune spoke with Andrew Conway, a research analyst at Cloudmark, a messaging security firm. “It’s not at all the vast torrent of personal nude photos that some people have been suggesting,” he said.
Why hack Snapchat data?
I think it’s the voyeuristic thrill of seeing something that you’re not supposed to be seeing. Look at some of the discussion on Reddit and other forums over the celeb nudes [hacking in September]. Some people are saying when they saw videos or intimate things being said they felt they were invading privacy. Other people were saying that the fact that it wasn’t meant for them seeing these intimate things made it even better for them. You can draw whatever conclusion you want about human nature from that—it’s not a pretty sight.
I don’t think the people doing this see themselves as criminals—as someone stealing credit card data, for instance. I think they see themselves as hackers. They’re giving hackers a bad name, by the way. I think they see themselves hackers looking to have some fun at somebody else’s expense.
How interesting is the loot?
I took a sample of the initial leak and looked through. I don’t now whether that was a representative sample or not, but that seems to be what we’re seeing. Most of the photos are not nude. Probably nine out of 10 are non-nude. They’re very ordinary, plain text messages or everyday pictures. Only a small portion are actually nude, and there is quite a lot of spam in there. Not more than 1-in-50, I would guess, shows nudity combined with an identifiable face. Most of the nude pictures with a face had that same picture sent to a number of different people, so it could be some sort of spam attack.
That doesn’t justify it in any way. Still, the idea that there are 200,000 nude pictures out there and that it’s child porn is absolutely ridiculous.
Who is responsible?
This did not come from Snapchat being hacked directly. But some would say it came from the fact that Snapchat’s protocols are not sufficiently secure. The question is: Why didn’t Snapchat design it like that in the first place? They weren’t thinking in terms of security to protect users from the ground up. They built a great app, a great service, a great company, but there will always be people out there trying to get around it. To think like security professional you have to be able to think like a criminal. They weren’t thinking like attackers. They weren’t thinking of ways it could be compromised. They did put in the terms of service that you’re not supposed to do this, but that’s not a particularly good form of security or protection.
How many people have downloaded it?
There are currently 1,915 seeds [the term for people sharing a complete copy of the file] on BitTorrent and 4,649 people with a partial copy downloading the rest. Those numbers change from second to second, obviously.
How many have it in total?
The torrent has been around for a couple days now. It’s probably in the high four-digit or low five-digit figures who have the whole 12.6-gigabyte file by now.
If there is potentially child porn in there, why would someone risk downloading it and running afoul with law enforcement?
I think there’s a feeling of safety in numbers. Obviously, if there’s child porn and a dozen people have a copy, there will be a dozen arrests. But it’s hard for sources to track down and arrest the person at the end of every single IP address.
How are people downloading the files?
BitTorrent is really the only thing that can handle lot of people downloading 12.6 gigabytes at the same time. Try to download that from RapidShare or Mega and it would take multiple hours—the better part of a day, depending on your bandwidth connection. Because BitTorrent is decentralized, there’s really nowhere for any lawyers to send a notice to.
How can this be prevented?
Don’t take nude photos. If you do take nude photos, don’t share them over the Internet. If you do take nude photos and share them over the Internet, don’t show your face.
I don’t like to give that advice. I think people should have the right to communicate privately with their lovers. But at the moment hackers are winning. It’s easier to hack into a system than to make something proof against attack. That’s starting to change, though. After [Edward] Snowden’s revelations [of secret National Security Agency surveillance programs], a lot of very smart people realized that the Internet will have to be engineered from ground up with security in mind. That’s a slow process and hasn’t happened yet. I hope in 10 years or so there will be progress on that.
What takeaways do you have for Snapcaht users?
This happened because people were deliberately trying to save pictures, violating Snapchat’s terms of service. But even with regular Snapchat, if you have a picture on your phone’s screen, you can take a picture of that picture with another camera and Snapchat will know nothing about it. Make sure you trust the person on the other end of the line.
Will the photos ever go away?
Once things are out on the Internet, they tend to stick around. It may be a long tail where you see fewer and fewer people interested in looking for them. I can’t see anyone going in and deleting all these files every place they are. Someone will make the effort to wade through the 200,000 photos and videos and select the ones that contain nudity and come up with a “Best of” file. That will get even wider distribution and stay around forever. I think there will be a few megabytes at most. I don’t think there’s very much good stuff. I still don’t think that’s a good thing.
