Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.
Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story).
Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes.
Although Snap has introduced strict access controls to user data and takes abuse and user privacy very seriously according to several sources, the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on users' private information or profiles.
One of the internal tools that can access user data is called SnapLion, according to multiple sources and the emails. The tool was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena, two former employees said. Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it is a reference to the cartoon character Leo the Lion. Snap's "Spam and Abuse" team has access, according to one of the former employees, and a current employee suggested the tool is used to combat bullying or harassment on the platform by other users. An internal Snap email obtained by Motherboard says a department called "Customer Ops" has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported.
SnapLion provides "the keys to the kingdom," one of the former employees who described the abuse of accessing user data said.
Many of Snapchat's 186 million users turn to the app in part of the ephemerality of videos and photos users send to one another. Users may not be aware of the sort of data that Snapchat can store, however. In 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data.
Snap's publicly available guide to law enforcement for requesting information about users elaborates on the sort of data available from the company, including the phone number linked to an account; the user's location data (such as when the user has turned on that setting on their phone and enabled location services on Snapchat); their message metadata, which may show who they spoke to and when; and in some cases limited Snap content, such as the user's "Memories," which are saved versions of their usually ephemeral Snaps, as well as other photos or videos the user backs-up.
An internal email obtained by Motherboard shows a Snap employee legitimately using SnapLion to look up the email address linked to an account in a non-law enforcement context, and a second email shows how the tool can be used in investigations against child abuse.
Do you work at Snap? Did you work at Snap? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Tools like SnapLion are an industry standard in the tech world, as companies need to be able to access user data for various legitimate purposes. Although Snap said it has several tools that the company uses to help with customer reports, comply with laws, and to enforce the network's terms and policies, employees have used data access processes for illegitimate reasons to spy on users, according to two former employees.
One of the former employees said that data access abuse occurred "a few times" at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.
Motherboard was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data.
A Snap spokesperson wrote in an emailed statement “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination."
When asked if abuse ever took place, one former senior information security Snap employee said, "I can't comment but we had good systems early on, actually most likely earlier than any startup in existence." The former senior employee did not deny employees abused their data access, and stopped responding to messages asking whether abuse occurred.
"Logging isn't perfect."
One of the former employees thought that a number of years ago SnapLion did not have a satisfactory level of logging to track what data employees accessed. Logging, generally speaking, is when a company will track who uses a system and what data they access to make sure it is being used appropriately. The company then implemented more monitoring, the former employee added. Snap said it currently monitors access to user data.
"Logging isn't perfect," the second former employee who described the data access abuse said.
Snap said it limits internal access to tools to only those who require it, but SnapLion is no longer a tool purely intended to help law enforcement. It is now used more generally across the company. A former employee who worked with SnapLion said the tool is used for resetting passwords of hacked accounts and "other user administration."
One current employee emphasized the company's strides for user privacy, and two former employees stressed the controls Snap has in place for protecting user privacy. Snap introduced end to end encryption in January of this year.
Insiders leveraging their access to data for illegitimate purposes happens across the tech industry. Last year, Motherboard reported that Facebook has fired multiple employees for using their privileged access to user data to stalk exes. Uber showed off at parties its so-called 'God View' mode, which displays the real-time location of real users and drivers, and Uber employees used internal systems to spy on ex-partners, politicians, and celebrities.
"For the normal user, they need to understand that anything they're doing that is not encrypted is, at some point, available to humans," Alex Stamos, the former chief information security officer at Facebook and now a Stanford adjunct professor, said in a phone call, talking about the threat of malicious insiders at tech giants in general.
"It's not exceptionally rare," Stamos added, referring to insider data access abuse.
Leonie Tanczer, a lecturer in International Security and Emerging Technologies at University College London, said in an online chat this episode "really resonates with the idea that one should not perceive companies as monolithic entities but rather set together by individuals all who have flaws and biases of their own. Thus, it is important that access to data is strictly regulated internally and that there are proper oversights and checks and balances needed."
Additional reporting by Lorenzo Franceschi-Bicchierai.
Subscribe to our new cybersecurity podcast, CYBER.