Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user's Story).

Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users, Motherboard has learned.

One of the internal tools that can access user data is called SnapLion, according to multiple sources and the emails. The tool was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena , two former employees said. Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it is a reference to the cartoon character Leo the Lion. Snap's "Spam and Abuse" team has access, according to one of the former employees, and a current employee suggested the tool is used to combat bullying or harassment on the platform by other users. An internal Snap email obtained by Motherboard says a department called "Customer Ops" has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported.

Although Snap has introduced strict access controls to user data and takes abuse and user privacy very seriously according to several sources, the news highlights something that many users may forget: behind the products we use everyday there are people with access to highly sensitive customer data, who need it to perform essential work on the service. But, without proper protections in place, those same people may abuse it to spy on users' private information or profiles.

SnapLion provides "the keys to the kingdom," one of the former employees who described the abuse of accessing user data said.

*

Many of Snapchat's 186 million users turn to the app in part of the ephemerality of videos and photos users send to one another. Users may not be aware of the sort of data that Snapchat can store, however. In 2014, the Federal Trade Commission fined Snapchat for failing to disclose that the company collected, stored, and transmitted geolocation data.

Snap's publicly available guide to law enforcement for requesting information about users elaborates on the sort of data available from the company, including the phone number linked to an account; the user's location data (such as when the user has turned on that setting on their phone and enabled location services on Snapchat); their message metadata, which may show who they spoke to and when; and in some cases limited Snap content, such as the user's "Memories," which are saved versions of their usually ephemeral Snaps, as well as other photos or videos the user backs-up.

An internal email obtained by Motherboard shows a Snap employee legitimately using SnapLion to look up the email address linked to an account in a non-law enforcement context, and a second email shows how the tool can be used in investigations against child abuse.

Do you work at Snap? Did you work at Snap? We'd love to hear from you. You can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

Tools like SnapLion are an industry standard in the tech world, as companies need to be able to access user data for various legitimate purposes. Although Snap said it has several tools that the company uses to help with customer reports, comply with laws, and to enforce the network's terms and policies, employees have used data access processes for illegitimate reasons to spy on users, according to two former employees.