Written by: Alex Popa
A little while ago, it was discovered that a few Snapchat employees spied on their users with a certain dedicated tool called SnapLion. Actually, many departments belonging to Snap had access to SnapLion and the data it collected.
This was clearly some people abusing their privileges and infringing on the private lives of Snapchat end-users. This event isn’t something new though. Several people who worked at Snap said that it happened many years ago, and it would have been left undiscovered had it not been for their input.
Vice got hold of a few emails belonging to the company that confirmed this. In them, there were clear descriptions of the internal tools which could be used to access user data. This included real-time location, transmitted photos, and even personal information.
Snapchat officially worked so hard to develop SnapLion for one purpose alone – to comply with the authorities’ requests for any information regarding alleged people breaking the law of harassing other users.
Truth be told, when it had to deal with court-orders, the giant social media company had few things it could do when it came to complying with the requests of the authorities. As such, a tool like SnapLion was presumably necessary.
However, such powerful surveillance tools should be put under lock and key, restricted to certain personnel only, and used solely in particular instances when legal issues appeared.
In this specific case, the Snapchat employees had no factual or reasonable reason to pool information from users, and they simply abused their prerogatives.
Fortunately, Snap quickly got ahold of the news and took the situation under control. They stated that they’ve found out who the perpetrators were, and due penalties were applied.
What’s more, ever since that incident, Snapchat implemented end-to-end encryption for more safety nets and a better security system. Outside the user and the recipient of the message, no one else will have access to the content of a snap, now that encryption has been applied.
There is, however, little comfort in this because no matter how many security tools are put in place, companies such as Snap still have access to your private information and confidential data. The smallest mistake could lead to leaks, and to improper use of this information.
There are too few policies against the unwarranted abuse or surveillance of users’ information, and even if the guilty ones are reprimanded, the deed has been done. Privacy is starting to fade away.
Initially, SnapLion was successfully used to collect information based on the authorities’ requests, and this led to the correct application of court orders and a subpoena.
The two former Snap employees have said that SnapLion can be accessed by various individuals in the company, such as:
That’s dozens of people we’re talking about. They all can use SnapLion to get instant access to any user’s data and personal exchanges. Pictures, videos, messages, anything can be accessed.
One of the employees talked about such illegal uses of SnapLion, saying that the tool represented “the keys to the kingdom,” pointing out to the actual significance of the surveillance mechanism.
It means that anyone who has access to it can make use of Snapchat’s functions as he sees fit. Omnipotent influence over the virtual correspondence of users, and uninhibited access to their information and private data.
This isn’t Snap’s first screw-up either. Back in 2014, Snapchat was fined because it somehow “forgot” to mention that the company collected geolocation data from all of its users, and they further transmitted it ahead.
The Federal Trade Commission discovered this and issued a fine, which Snapchat had no choice but to pay.
In this particular case, a Snap spokesperson had this to say – “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”
Upon further inquiry by Vice, the information security Snap employee dodged the question and said that their security systems were top-notch back then. They might even have been way ahead of everyone else in that regard, he further said.
Well, security systems or not, the fact still remains – the abuse happened, and they chose to cover it up, hoping no one would notice. Of course, he didn’t specifically say that Snap employees didn’t abuse their prerogatives either.
If the surveillance tool was initially created to serve as a control and capture mechanism implemented at the authorities’ behest, now it has come to be used in more “lax” circumstances.
Things like recovering lost passwords or those of hacked accounts, and a few other administrative issues that have nothing to do with legal matters.
Moreover, the personnel with access to SnapLion isn’t limited only to the higher-ups in cases of extreme emergency and factual legal issues. Now, the security staff and even other employees with no authorization can make use of it and abuse its capabilities.
Simply because they can do that. In fact, Snapchat’s misfire is only one chink in the long chain of privacy abuses that have been happening lately. Facebook had to deal with employees who misused their privileges to stalk their exes, while Uber played around with the “God View” mode.
Regarding data access abuse, Alex Stamos, one of the former security executives who worked for Facebook, said that “It’s not exceptionally rare”, and that “For the normal user, they need to understand that anything they’re doing that is not encrypted is, at some point, available to humans.”
This seems to be the case with Snapchat’s abuse of power in this case. Companies like Snap should really ensure that proper security mechanisms and strict policies are in place to prevent such things from happening.