Existing online today means giving over a wealth of data. The hope is that the companies safeguarding it are doing so securely, but thousands of people work for these companies, and all it takes is a few bad actors with the right access to peep at some of your most intimate personal details. And, according to two former Snap employees who spoke with Motherboard, that’s exactly what happened at Snapchat.
The bombshell Motherboard report on Thursday (23 May) reveals that employees across several departments at Snapchat can view user location information, saved Snaps, phone numbers and email address through a tool known as SnapLion. It’s not clear exactly how widespread abuse of the tool is; a former Snapchat employee quoted in the report said that data access abuse happened a “few times” at the organization.
SnapLion reportedly designed to let the company access user data for law enforcement purposes. It was accessible by the company’s Spam and Abuse team, Customer Ops team, and security staff, Motherboard reports. A former employee characterized it as “the keys to the kingdom,” Motherboard reported, and internal emails obtained by the publication revealed that an employee used the tool to look up someone’s email address.
In response to the report, Snap gave the following rebuttal: “Any perception that employees might be spying on our community is highly troubling, and wholly inaccurate. Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have, including data within tools designed to support law enforcement. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”
In total, Motherboard spoke to four former employees and a current employee that verified the existence of the SnapLion tool. Two former employees said that the abuse of the SnapLion tool occurred “several years” ago, but it’s unknown whether it’s still happening today. Emails obtained by Motherboard revealed an employee using the tool to look-up a user email address in a non-law enforcement related context. Snapchat did not immediately respond to a request from Engadget for comment.
One of the former employees thought that a number of years ago SnapLion did not have a satisfactory level of logging to track what data employees accessed. Logging, generally speaking, is when a company will track who uses a system and what data they access to make sure it is being used appropriately. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data.
“Logging isn’t perfect,” the second former employee who described the data access abuse said.
Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company. A former employee who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and “other user administration.”
This isn’t the first accusation of the company being shady with data. In 2014, the Federal Trade Commission issued a fine after Snapchat failed to disclose the fact that it was collecting, storing, and transmitting geolocation data.
But the problem of employees abusing their access to data isn’t limited to Snapchat. The Vice story mentions Uber employees who spied on the locations of celebrities, politicians, and acquaintances, as well as Facebook employees using data to stalk exes. Not to mention the completely legal creepy shit social media companies do with data, like the fact that every time my roommate looks at man rompers on his desktop, I get weeks of targeted Facebook ads on my cellphone featuring various floral onesies with plenty of room for a penis I do not have.
What stands out in the case of Snapchat is how easily employees across multiple departments were able to use the SnapLion tool for unrelated, internal purposes, such as handling spam and abuse on the platform. But such an internal tool isn’t unique to Snapchat, neither is abuse of private data by employees. Facebook fired a security engineer last year for using personal data to stalk women. Uber’s use of a “God View” tool that revealed rider’s location prompted an investigation by the New York State Attorney General. Both companies responded by promising stricter privacy controls; in the case of Facebook, the employee in question was fired.
Leonie Tanczer, a lecturer in International Security and Emerging Technologies at University College London, said in an online chat this episode “really resonates with the idea that one should not perceive companies as monolithic entities but rather set together by individuals all who have flaws and biases of their own. Thus, it is important that access to data is strictly regulated internally and that there are proper oversights and checks and balances needed.”
