Snapchat’s claim to fame has always been its privacy feature, automatically deleting so-called ephemeral messages or after a period of time. Ironically, the social network’s biggest criticisms have also been on its privacy practices. Now former employees are coming out, anonymously, of course, to reveal that the company hasn’t exactly been exercising due diligence in making sure that a special tool primarily used for law enforcement and fighting abuse isn’t being abused by employees themselves to spy on Snapchat users.
That internal tool is called SnapLion, a play on the company’s name and LEO, an acronym for Law Enforcement Officer. SnapLion’s purpose was to extract data from user accounts in the aid of legal processes and investigation. Over time, it has also grown to be used by Snapchat itself to fight bullying and harassment on the platform. Unfortunately, it has reportedly also been used to get that same user data for illegal and illegitimate purposes.
That tool is able to access data such as location, saved Snaps that haven’t been automatically deleted yet, phone numbers, and email addresses. Information that users presume is as protected as their Snaps. Those former employees, however, are reporting that there have been incidents of abusing that tool, though they didn’t drill down on the specifics.
SnapLion was supposed to be limited only to employees that actually do need such access, from the company’s security staff to “spam and abuse” teams. Lately, however, it has reportedly been used also for doing simple things like resetting a user’s password after being hacked and other administrative actions. Snapchat also logs and monitors access to user data but, as one former employee reveals, it isn’t exactly perfect.
Snapchat has all but denied the report, stating it has policies and controls in place to limit access to user data. Aside from internal emails that VICE’s Motherboard was able to acquire, there hasn’t yet been more solid evidence that abuses have taken place. That said, as former Facebook chief information security officer Alex Stamos said, users should probably presume that anything unencrypted is, at some point, going to be viewable by humans. That, of course, isn’t really an excuse for any company to be lax in protecting their own users.