Snap employees allegedly abused data access to spy on Snapchat users
The basic premise behind Snapchat is simple. You send a video or picture and, once the user opens it, it disappears, never to be seen again. Pretty easy concept to grasp, right? The Android app has even had somewhat of a renaissance in recent times with an entirely remade app launched back in April.
Well, Snapchat does a lot more than just act as a vessel to send and receive temporary pictures. It allows users to save their snaps sent to a private gallery, allows their friends to see their location every time they open the app, and much more. If you want an idea of the kind of data Snap Inc. has on you, you can request a full dump of your data and see it all pretty clearly. According to a report from Motherboard, which spoke with two former employees of the company, the collection of that data may be far from harmless.
Several departments within Snap Inc. have dedicated tools for accessing user data, and many employees have access to those tools in order to perform customer support tasks, maintenance, and more. According to the report, those tools were misused a few years ago by employees to view private Snapchat data that includes private images saved in the user’s Snapchat gallery, email addresses, phone numbers, and even location data. That was thanks to the existence of a tool called SnapLion, which employees used to help comply with court orders and subpoenas on users.
The existence of tools like SnapLion is standard across the tech industry. Nowadays, SnapLion has uses outside of aiding law enforcement and is the tool of choice for resetting passwords of hacked accounts, along with “other user administration.”
Many teams across Snap Inc. have access to the tool. One of the former employees described it as the equivalent of having “the keys to the kingdom.” One of the employees also said that abuse of the available tools happened “a few times” to spy on Snapchat users. That same employee also specified that multiple individuals carried out the abuse. Motherboard contacted Snap for comment.
Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.
Motherboard then asked a former senior information security Snap employee if any abuse of the system had taken place.
I can’t comment but we had good systems early on, actually most likely earlier than any startup in existence.
The former senior employee did not deny employees abused their data access and stopped responding to messages sent by Motherboard asking whether abuse occurred.