Employees at social media giant Snap have been abusing internal tools for accessing user data in order to spy on Snapchat users, according to an investigative report by Motherboard, which interviewed multiple current and former employees and viewed internal Snap communications.
"employees have used data access processes for illegitimate reasons to spy on users, according to two former employees." -Motherboard
Snapchat, which boasts over 186 million users, is a mobile app for Android and iOS devices which allows people to send 'self-destructing' photos or videos to another person. The 'snap' can be set to expire within a few seconds of the receiver opening it, or the sender can elect not to delete it at all.
As such, the app has fueled an explosion in sexting - the exchange of sexually explicit messages over electronic devices, which has consequently led to legal trouble for those breaking the law. Earlier this month, five Fairfax County, VA students were hit with nine felony child porn charges and one charge for unlawful filming tied to a sexting case in which the students were trading naked pictures of female students over Snapchat.
One of the tools Snap employees use to access sensitive user information, often for law enforcement purposes, is called SnapLion. Originally designed to comply with court orders and other valid law enforcement requests, SnapLion can reveal a user's location data (when enabled) and message metadata, as well as photos or videos backed up by Snap users.
Snap's publicly available guide to law enforcement for requesting information about users elaborates on the sort of data available from the company, including the phone number linked to an account; the user's location data (such as when the user has turned on that setting on their phone and enabled location services on Snapchat); their message metadata, which may show who they spoke to and when; and in some cases limited Snap content, such as the user's "Memories," which are saved versions of their usually ephemeral Snaps, as well as other photos or videos the user backs-up. -Motherboard
According to the report, Snap's entire "Spam and Abuse" team has access to the program according to one of the former employees, along with a department called "Customer Ops." One current employee suggested that the tool is also used to combat bullying or harassment on the platform.
One of the former employees said that data access abuse occurred "a few times" at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted. -Motherboard
While Motherboard was able to view internal communications, the investigation "was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data."
You'll just have to use your imagination - and always keep in mind that whatever you send over somebody else's network is always subject to internal abuse.
Leonie Tanczer, a lecturer in International Security and Emerging Technologies at University College London, said in an online chat this episode "really resonates with the idea that one should not perceive companies as monolithic entities but rather set together by individuals all who have flaws and biases of their own. Thus, it is important that access to data is strictly regulated internally and that there are proper oversights and checks and balances needed." -Motherboard
"For the normal user, they need to understand that anything they're doing that is not encrypted is, at some point, available to humans," said former Facebook chief information security officer, Alex Stamos, who added that insider data access abuse 'is not exceptionally rare.'
As Motherboard notes - that while Snap has taken measures to introduce strict access controls over user data, and takes abuse an user privacy very seriously, "the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service."