Some employees of Snap have access to internal tools that allow them to access Snapchat user data and have in the past abused those tools to spy on Snapchat users, reports Motherboard.
According to two former employees, a current employee, and internal company emails, Snap employees have access to internal tools that let them access location information, saved snaps, phone numbers, and email addresses from users.
One of the tools, SnapLion, was designed to gather information on users in response to valid law enforcement requests. Snap’s Spam and Abuse team has access to Snap Lion, as does a Customer Ops team and security staff. One former employee told Motherboard that SnapLion offers “the keys to the kingdom.”
The SnapLion tool has legitimate purposes and is used for such within the company, but the two former Snap employees confirmed that it’s also been used for illegitimate reasons, though information about specific incidents was not made available.
One of the former employees said that data access abuse occurred “a few times” at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.
Motherboard was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data.
A Snap spokesperson said that privacy is “paramount” at Snap, and that little user data is kept. What data is stored is protected by “robust policies” to limit the number of employees who have access. “Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination,” the spokesperson told Motherboard.
Snap monitors who accesses user data, but the former employees say that the logging procedures aren’t perfect, and that years ago, SnapLion did not have robust data protection tools to track what employees were doing. It’s not clear if employees are still abusing internal tools, but Motherboard‘s investigation suggests it did happen in the past.
Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company. A former employee who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and “other user administration.”
Much of what’s shared on Snapchat is ephemeral, with content disappearing after a short period of time. Users should be aware, however, that certain data is collected and stored by Snapchat, such as phone number, location data, message metadata (who a person spoke to and when), and some Snap content, such as Memories.
A full accounting of Motherboard‘s Snap investigation can be read over on Vice.