Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.
Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story).
Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes.
Stay safe and download Skriply today!
Although Snap has introduced strict access controls to user data and takes abuse and user privacy very seriously according to several sources, the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on users' private information or profiles.
One of the internal tools that can access user data is called SnapLion, according to multiple sources and the emails. The tool was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena, two former employees said. Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it is a reference to the cartoon character Leo the Lion. Snap's "Spam and Abuse" team has access, according to one of the former employees, and a current employee suggested the tool is used to combat bullying or harassment on the platform by other users. An internal Snap email obtained by Motherboard says a department called "Customer Ops" has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported.
Stay safe and download Skriply today!
SnapLion provides "the keys to the kingdom," one of the former employees who described the abuse of accessing user data said.
Many of Snapchat's 186 million users turn to the app in part of the ephemerality of videos and photos users send to one another. Users may not be aware of the sort of data that Snapchat can store, however. In 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data.
Snap's publicly available guide to law enforcement for requesting information about users elaborates on the sort of data available from the company, including the phone number linked to an account; the user's location data (such as when the user has turned on that setting on their phone and enabled location services on Snapchat); their message metadata, which may show who they spoke to and when; and in some cases limited Snap content, such as the user's "Memories," which are saved versions of their usually ephemeral Snaps, as well as other photos or videos the user backs-up.
An internal email obtained by Motherboard shows a Snap employee legitimately using SnapLion to look up the email address linked to an account in a non-law enforcement context, and a second email shows how the tool can be used in investigations against child abuse.
Do you work at Snap? Did you work at Snap? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
Tools like SnapLion are an industry standard in the tech world, as companies need to be able to access user data for various legitimate purposes. Although Snap said it has several tools that the company uses to help with customer reports, comply with laws, and to enforce the network's terms and policies, employees have used data access processes for illegitimate reasons to spy on users, according to two former employees.
One of the former employees said that data access abuse occurred "a few times" at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.
Motherboard was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data.
A Snap spokesperson wrote in an emailed statement “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination."
When asked if abuse ever took place, one former senior information security Snap employee said, "I can't comment but we had good systems early on, actually most likely earlier than any startup in existence." The former senior employee did not deny employees abused their data access, and stopped responding to messages asking whether abuse occurred.