A report released by Motherboard yesterday reveals employees of Snap Inc., the parent company of the popular social media, Snapchat, abused privileged data management tools to spy on Snap users. They gained access to location, contact details, email addresses, even saved Snaps!
This news was first reported by Motherboard stating that various departments within Snap have dedicated tools for accessing data. Talking about sources, Motherboard said, “two former employees said multiple Snap employees abused their access to Snapchat user data several years ago”. Along with those sources, Motherboard also obtained information from two other former employees, a current employee, and a cache of internal company emails.
The sources and the emails obtained highlight one of the internal tools that can access user data called SnapLion
Former employees said that SnapLion was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena. “Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it, is a reference to the cartoon character Leo the Lion”, Motherboard reports.
Snap Inc.’s ‘Spam and Abuse’ team has access to the tool and it can also be used to combat bullying or harassment on the platform by other users. Motherboard said, “An internal Snap email obtained by Motherboard says a department called “Customer Ops” also has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported”.
“Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes”, reports Motherboard.
Snapchat has a customer bandwidth of around 186 million users who use it to share photos, videos, or post stories trusting that it may get auto-deleted as per Snapchat’s privacy policies.
Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user’s Story).
However, in 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data.
A Snap spokesperson wrote to Motherboard, “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”
A few years ago, SnapLion did not have a satisfactory level of logging to track what data employees accessed, a former employee said. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data. The second former employee said, “Logging isn’t perfect”.
“Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company”, the former employees reported. One of them who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and “other user administration.”
A current employee said that the company’s strides for user privacy and two former employees stressed the controls Snap has in place for protecting user privacy. Snap also introduced end to end encryption in January of this year.
Similar to Snap Inc. there are stories where other tech giants like Facebook, Uber employees have accessed their ex-employees’ data. Facebook fired some of its employees in May, last year, for using their privileged access to user data to stalk exes. In 2016, Uber employees, on the other hand, used internal systems to spy on ex-partners, politicians, and celebrities.
There have been similar stories at lots of companies, like Facebook employees accessing exes' private data.
At most web cos, many employees have unfettered access to user data. And most do not keep an audit trail of who is accessing what, when, or why.
— Kelly Ellis (@justkelly_ok) May 24, 2019
Read more about this news in detail on Motherboard’s full coverage.