Some employees of the company that runs Snapchat used internal tools to access user data several years ago, before Snap restricted access.
"Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users," Motherboard reports.
The notion that a technology company would *not* have tools with which to access user data is silly, because that's what social media companies do. Manage user data. But there are concerns about how the tools at Snap were accessed and used, and for what purpose.
Reporter Joseph Cox spoke to Snap employees who said yes, there was abuse.
From Joseph Cox at Motherboard
Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story).
Motherboard granted multiple sources in this story anonymity to speak candidly about internal Snap processes.
Although Snap has introduced strict access controls to user data and takes abuse and user privacy very seriously according to several sources, the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on users' private information or profiles.
One of the internal tools that can access user data is called SnapLion, according to multiple sources and the emails. The tool was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena, two former employees said. Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it is a reference to the cartoon character Leo the Lion. Snap's "Spam and Abuse" team has access, according to one of the former employees, and a current employee suggested the tool is used to combat bullying or harassment on the platform by other users. An internal Snap email obtained by Motherboard says a department called "Customer Ops" has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported.
SnapLion provides "the keys to the kingdom," one of the former employees who described the abuse of accessing user data said.
More from Twitter below.
One internal Snapchat tool for accessing user data is SnapLion. It started as a tool for retrieving information for law enforcement, but expanded to helping people with hacked accounts, tackle bullying/harassment, user administration. https://t.co/OjL9o2W2Kv pic.twitter.com/7M4O8JBjcT
— Joseph Cox (@josephfcox) May 23, 2019
Snapchat employees need access to user data for core functions of the service. But with that human access, comes the risk of abuse. Abuse happened at Snaphat a "few times", involved multiple employees, sources said https://t.co/OjL9o2W2Kv pic.twitter.com/hFa7sMDa1A
— Joseph Cox (@josephfcox) May 24, 2019
I'm guessing a tool like this would also be useful to fulfill Subject Access Requests under GDPR and CCPA.
— David Carroll ? (@profcarroll) May 23, 2019
The takeaway from this, or any insider data abuse story really, is something that a lot of users may forget: that there are people behind the tech products we use everyday, and as @leotanczt said, with their own biases and flaws https://t.co/OjL9o2W2Kv pic.twitter.com/l4C2obbjb9
— Joseph Cox (@josephfcox) May 24, 2019
— Jason Koebler (@jason_koebler) May 23, 2019
— Anna Rose Iovine (@annaroseiovine) May 23, 2019
WTF? How are these Billion dollar companies but with no audit mechanisms to prevent abuse of user data? What are the VCs on board doing?
At Microsoft, I had to take 2 data handling trainings before I could access completely anonymized, basic product telemetry https://t.co/xDXdy9US8f
— Ashanka Iddya (@aiddya) May 23, 2019
Just for some relevant context: just about every single tech company has an internal system to look at individual customer data – it's critical for day to day operations across success, data, support, and marketing. https://t.co/4fImhCdE91
— Justin Gage (@jGage718) May 23, 2019