Snapchat staff abused internal tools to spy on users Watch Now

Snapchat has internal tools dedicated to accessing consumer data and these same tools have been subject to abuse by employees.

According to a report published by Motherboard, "multiple" members of staff have abused their positions and used their privileges to access these tools and spy on users.

One of the programs, dubbed "SnapLion," provides the keys to a user's kingdom, sources told the publication.

SnapLion was originally used to gather information on users when a law enforcement request or valid subpoena was issued, but access has since expanded across multiple teams including a department called "Customer Ops," security staff, and employees set to combat bullying and spam.

While such tools are increasingly important for technology vendors in order to respond to legitimate legal requests and to control inappropriate behavior on their networks, unless companies implement the concept of least privilege to limit access based on what staff members need to perform their jobs, there is always the potential for abuse.

In this case, two former and one current Snap employee said staff members have used these tools for illegitimate purposes and to spy on users without due cause in the past.

CNET: Alexa privacy concerns prompt senator to seek answers from Amazon CEO Jeff Bezos

In some cases, saved Snaps, videos, location information, phone numbers, and email addresses were available to snooping employees.

While the company has introduced stricter controls for data access in recent times and takes such abuse seriously, several years ago, tools including SnapLion did not make use of logging technology to track how and where abuse was taking place -- which led to covert spying.

See also: Facebook's worst privacy scandals and data disasters

Snap now does implement satisfactory logging to see what information has been accessed by employees, making abuse less likely to remain undetected.

A company spokesperson told Motherboard that "we keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company's standards of business conduct and, if detected, results in immediate termination."

TechRepublic: GDPR fines levied so far: The lessons businesses can learn

Given how much of our lives and identities have now entered the digital space, there may be the temptation to abuse data access protocols should social network staff have the required privileges. In this, Snapchat is not alone, as highlighted by a case in 2018 of Facebook firing a security engineer for spying on women online.

The engineer had privileged access to user data and called himself a "professional stalker."

Uber's use of internal tools, too, has also come under fire in the past. The ride-sharing service was given a slap on the wrist by regulators and a small fine in 2016 for the use of its "Godview" tool to track riders and access their historical logs without permission, alongside its generally lax view on security.

ZDNet has reached out to Snap and will update if we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0