Some former Snapchat employees have claimed that several colleagues have abused their access to Snapchat user data several years ago, and a cache of internal company e-mails obtained from Motherboard describes the internal tools that allowed Snap employees to access user data, which in some cases included location information, saved photos and personal information such as phone numbers and e-mail addresses.
Behind the products we use every day there are people authorized to access highly sensitive customer data to perform essential and legitimate work on the service itself, however, without adequate protection, these same people could abuse it to spy on information or private profiles of users.
The SnapLion tool has legitimate purposes and is used for such within the company, but the two former Snap employees confirmed that it’s also been used for illegitimate reasons, though information about specific incidents was not made available.
” One of the former employees said that data access abuse occurred “a few times” at Snap. That source and another former employee specified the abuse was carried out by multiple individuals. A Snapchat email obtained by Motherboard also shows employees broadly discussing the issue of insider threats and access to data, and how they need to be combatted.
Motherboard was unable to verify exactly how the data abuse occurred, or what specific system or process the employees leveraged to access Snapchat user data.”
An internal e-mail obtained from Motherboard shows a Snap employee who legitimately uses SnapLion to search for the e-mail address linked to an account in a non-law context, and a second e-mail shows how the tool can be used in investigations against child abuse.
Snap stated that it limits internal access to tools only to those who request it, but SnapLion is no longer a tool intended solely to help law enforcement and is now used more generally throughout the company. A former employee who worked with SnapLion said that the tool is used to reset the passwords of compromised accounts and “the other user administration”.
Insiders who exploit their access to data for illegitimate purposes are present throughout the technology sector. Last year, Motherboard reported that Facebook fired more employees for abusing their privileged access to user data, while Uber showed the so-called “God View” mode at parties that displays the real-time location of real users and drivers and some Uber employees have used internal systems to spy on ex-partners, politicians and celebrities.
Given that this type of company is also composed of individuals, it is important that access to data is strictly regulated and monitored internally.