Two former employees told Vice’s Motherboard that multiple Snapchat employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses, despite the fact that photos or videos called Snaps, if not saved, typically disappear after being received or 24 hours after posting.
One of the internal tools that can access user data is called SnapLion, according to multiple sources and emails. The tool was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena, two former employees said, adding that the name is a play on words with the common acronym for law enforcement officer LEO, with one of them adding that it is a reference to the cartoon character Leo the Lion.
Through SnapLion the employees, current or former, could see: the user's location data (such as when the user has turned on that set on their phone and enabled location services on Snapchat); their message metadata, which may show who they spoke to and when; and in some cases limited Snap content, such as the user's "Memories," which are saved versions of their usually ephemeral Snaps, as well as other photos or videos the user backs-up.
One of the former employees said that data access abuse occurred "a few times" at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.
“Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination," a Snapchat spokesperson wrote in an emailed statement.
The existence of such tools within large companies isn’t new. Last year, Motherboard reported that Facebook had fired multiple employees for using their privileged access to user data to stalk exes. Uber showed off at parties its so-called 'God View' mode, which displays the real-time location of real users and drivers, and Uber employees used internal systems to spy on ex-partners, politicians, and celebrities.
"For the normal user, they need to understand that anything they're doing that is not encrypted is, at some point, available to humans," Alex Stamos, the former chief information security officer at Facebook and now a Stanford adjunct professor, said in a phone call, adding that such data mining abuse "is not exceptionally rare."
Leonie Tanczer, a lecturer in International Security and Emerging Technologies at University College London, told Vice that this episode "really resonates with the idea that one should not perceive companies as monolithic entities but rather as being set together by individuals who all have flaws and biases of their own. Thus, it is important that access to data is strictly regulated internally and that there are proper oversights and checks and balances needed."