A disappearing message app called Confide fails to actually provide the privacy safeguards it promises—such as a protection against screenshots—according to a federal lawsuit filed on Thursday in New York.
Confide, which launched in 2013, enjoyed a recent burst of popularity amid numerous reports that Republicans and Trump Administration staff were using the app to communicate in secret—and to shares leaks with the media.
The Confide app has long been controversial among security experts who have expressed skepticism about its claims of “military-grade encryption.” But the allegations in the lawsuit appear to be even more serious, claiming the app fails to deliver on a number of its advertised privacy features.
Specifically, it claims Confide fails to warn users when the person they are communicating with takes a screenshot. It adds that in the case of Windows desktop users, message recipients can easily take a screenshot of the message, including the sender’s name.
“Confide fails to deliver on two of the three requirements that it espouses as necessary for confidential communications: ephemerality and screenshot protection. Absent these protections, Confide knows that it cannot deliver on its promise to consumers that communications sent through it will be confidential,” the complaint states.
If the claims are true, it would appear to contradict Confide’s claim that its technology prevents such tactics.
The person who filed the lawsuit is a Michigan man named Jeremy Auman, who claims Confide’s advertised privacy features led him to pay $6.99 in January for a monthly subscription. Now, he is seeking to represent every other paid Confide subscriber in the U.S. in a class action suit, citing violations of laws against false advertising and deceptive practices. The suit does not name a specific amount of damages.
“Individuals ranging from an average consumer all the way up to government officials at the highest level have realized the importance of secure communications. And as such, that range of people put their trust in the representations made by Confide to protect their private correspondence. Our suit seeks to hold Confide accountable to the level of security it promised,” said lawyer Chris Dore, a partner at Edelson PC, which filed the lawsuit.
Confide CEO Jon Brod told Fortune the company would fight the lawsuit.
“Not surprisingly, the accusations set forth in the complaint are unfounded and without merit. We look forward to responding to this frivolous complaint and seeing this case swiftly thrown out of court,” said Brod.
The lawsuit also alleges that another aspect of the Confide app—known as the “sliver” feature—does not work. As Confide describes it, the sliver feature only reveals a little bit of text at a time, and obscures the sender’s name.
The point of the feature is to ensure a message recipient can’t use a camera to create a record of an entire message or otherwise identify its sender. But the “sliver” feature doesn’t work, according to the lawsuit, which includes a series of images purporting to show screenshots and photos of entire messages:
“Likewise, Confide did not design its macOS or Windows desktop Apps with the “sliver” feature enabled (i.e., to reveal only a “sliver” of the text as represented). Nor did Confide design its desktop Apps to ever hide the name of the sending party. As Figure 4 shows (through a photograph taken with a camera), Confide did not program either version of the desktop app to hide the sender’s name or to otherwise obscure the content of the messages. Confide’s design failure allows for a recipient to use a camera to capture the full content of each message as well as the identity of the sending party.”
You can read the complaint for yourself online.
This article was updated at 5:15 p.m. Eastern with an updated response from Confide. The company initially denied comment because it had not seen the complaint.
You can't solo security COVID-19 game security report: Learn the latest attack trends in gaming. Access here