We use apps every single day, and the general hope is that most of them aren’t tools to be used to spy on us. Even the ones that are built around a social networking platform. Snapchat, for instance, which is one of the biggest and most popular social networks out there. But it turns out Snap used to have tools accessible by employees to spy on users.
Motherboard has the report this week, outlining a long-running situation that allowed some employees at Snap, Inc., to use built-in tools to spy on Snapchat users. Just to get this out of the way early: Snap had these tools in place, with some employees granted access that abused those tools, but has since drastically restricted access.
However, the abuse in this case is still worth noting. The report is based on information gathered from anonymous former employees, a pair of current employees, and emails gathered by the publication. Based on that, the report outlines how internal tools made it possible for these employees to not only see saved snaps, email addresses, but also phone numbers, and location information.
One of the former employees said that data access abuse occurred “a few times” at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.
Motherboard was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data.
One of the tools accessible to some Snap employees is called SnapLion. While this is designed to be a legitimate tool at Snap, its ability to acquire information about users has been used by some employees in less-than-upstanding ways. The SnapLion tool is meant to help with the lawful request for information from law enforcement agencies, making it easier to find the information they are looking for.
SnapLion is accessible via just a few teams within Snap, including the Customer Ops team and Spam & Abuse team. SnapLion effectively offers “the keys to the kingdom”, according to the sources. The report was not able to go into any detail about specific instances that SnapLion was used in a nefarious way to spy on users.
Snap did have a comment on the story, as far as user privacy is concerned:
A Snap spokesperson wrote in an emailed statement “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”
When asked if abuse ever took place, one former senior information security Snap employee said, “I can’t comment but we had good systems early on, actually most likely earlier than any startup in existence.” The former senior employee did not deny employees abused their data access, and stopped responding to messages asking whether abuse occurred.
Snapchat is designed around an ephemeral messaging system. That means messages, or snaps, disappear after a set amount of time. However, the platform itself is still capable of storing and saving some information. That includes phone numbers, some location data, Memories, and metadata associated with messaging.
This is unfortunate to hear. However, the silver lining is that Snap has since made changes and restricted access. And while Snap’s spokesperson is ready to go to bat for how their “good systems” were in place early on, it sounds like some employees were able to basically do whatever they want with the tools they could get their hands on.