In a new controversy surrounding user privacy, Snapchat is facing the heat for spying on users. According to multiple sources, the company’s employees abused data access to spy on users.
How did the employees exploit access?
Employees of Snap Inc. have several departments using dedicated tools to access user data. According to Motherboard, several of these employees abused access. Two former employees recently came out to suggest that multiple employees had spied on users several years ago.
A current employee, two additional former employees, and some other sources have confirmed that this is true. According to a cache of internal company emails, these employees used location information and, in some cases, saved Snaps as well as personal information of users like phone numbers and email addresses.
It is very important to note that though the company has fully dedicated itself to introducing strict access controls to user data and takes user privacy very seriously, it cannot micromanage employees. These people are handling very sensitive customer data and if there aren’t proper protections in place, these people may even abuse their privileges to spy on users.
The abuse of SnapLion
SnapLion is an internal tool that lets employee’s access to user data. The tool was originally designed to gather information on users in response to law enforcement requests. These requests usually came in the form of subpoenas or court orders. The company’s Spam and Abuse team have access to user data to help combat harassment and bullying on the platform. SnapLion is also used by another department called Customer Ops and the company’s security staff. The existence of such a tool has never been reported previously.
Snapchat has 186 million users who use the app to send ephemeral videos and photos. In 2014, the company was fined by the Federal Trade Commission for failing to disclose that is collected and stored geolocation data of the users. An email gathered by Motherboard even shows that an employee used the SnapLion tool to gather email addresses of users in a non-law enforcement context.
The problem doesn’t lie in tools like SnapLion as they are a standard implementation in tech companies and help in accessing user data for legitimate purposes. However, this doesn’t stop employees from accessing user data for illegitimate reasons. Company emails also show that employees have broadly discussed the issue of insider threats and data access.
There is no confirmation on how exactly the data was abused.