After that episode, Snapchat started a search for a top security executive. In April 2014, Jad Boutros filled that role. Boutros came from Google, where his most recent job was maintaining security for the company’s entire social layer, including Google Plus. Boutros immediately launched a series of in-depth security reviews. “It wasn’t hard to come up with a huge list of improvements,” he says. (He emphasized that this is not an indictment of previous practices, but a need for the highest standards.) In addition to securing the code base, he initiated formal protocols to integrate security design into all the engineering teams, building what he calls a “culture of security.”

It wouldn’t be easy. Not long after he joined, Snapchat suffered another big spam attack. Boutros set up a war room to deal with spammers. “We went from a bad situation, to where it’s very, very difficult for spammers to create accounts,” he says.

All throughout, Snapchat’s biggest security problem remained — outsiders who figured out how to access the company’s supposedly secret APIs, and then inserted spam or created third-party apps. Some of those apps offered users a way to violate Snapchat’s terms of service by capturing and archiving Snaps routinely. When one of those apps, called Snapsaved, was hacked, the perpetrators posted over 90,000 picture and videos online. Even though Snapchat itself wasn’t directly victimized in what was dubbed The Snappening, Snapchat admits that the company should have been more proactive in stopping third-party services. And in our meeting, the executives reiterated their apology for that incident.

Now, says Sehn, Snapchat is doing much more to pull the plug on third-party apps. This week’s announcement that the APIs have been fortified — enough, in fact, to fix the third-party problem — is less a binary switch than an acknowledgement of an ongoing effort. Just check the iTunes App Store to see what users of those now-endangered third-party apps are saying. In reviews of SnapCrack, which promises to “save all the snaps you get from friends,” commenters are frustrated that the app they bought for $5 wasn’t working. “This app used to be the best,” wrote one reviewer on the iTunes App Store. “And now for the past few days it keeps saying it can’t connect to the Snapchat server. An update is needed, something, anything!”

Snapchat not only works with Apple and Google to try to block apps in their stores that violate Snapchat’s terms of service, it also started cracking down on users who install such apps. First comes a warning, and then, if the user persists in employing the third-party app, Snapchat will lock the account. Snapchat hopes that these measures will no longer be necessary, since it now feels it has fortified its platform to repel all the piggy-backing apps. (And you can’t get around this by using an earlier version of Snapchat; the company now requires users to upgrade to the current version of the app.)

“We never wanted third-party apps on our platform,”says Sehn. “We have created a product where it is more critically important than ever before that we control the end user experience. We’ve made commitments to our users.”

In short, Snapchat now feels that it has addressed its early mistakes that, in its view, were understandable shortcomings of a small team overwhelmed by explosive growth. Snapchat has changed its privacy policy to reflect the actual risk of exposure of its Snaps (and the policy is written in readable English, a rarity for those documents). Even a hard-core privacy advocate like EPIC’s Rotenberg says he has no current complaint with the company. “We’re happy to see the problem fixed,” he says. “We want those [ephemeral] services to be available. But you can’t represent yourself as a privacy protecting service and not deliver.”

Snapchat, though, chafes at that characterization of the company. While affirming that Snapchat lives up to its obligations to users, its executives prefer that we not view Snapchat as a “privacy service,” but a fun and diverting means of communication.

Even conceding that point, some privacy activists complain that Snapchat still has a way to go. Their biggest complaint is that Snapchat does not employ “end-to-end” encryption. Implementing end-to-end would mean that from the minute someone produces a Snap until the instant a recipient sees it, the image or video is scrambled in such a way that no one can view it — not even Snapchat itself. Many of the major messaging companies (notably Apple) have adopted this practice, much to the ire of the FBI and other law enforcement and national security agencies. “This is the responsible way to deploy a messaging service in 2015,” says Christopher Soghoian, principal technologist of the ACLU.

Snapchat says it has no current plans to implement end-to-end encryption. But it does cite with pride the progress it has made, and now, having owned up to its shortcomings, it feels confident enough to claim that its privacy and security practices can stand up to scrutiny.

“On spam and abuse we are slightly worried that we have put our own team out of business [because they’ve shut down third-party apps so effectively],” says Boutros, only part jokingly. “So it’s a question of retooling, and starting to think proactively about where new forms of spam and abuse will come in.” Meanwhile, the constant work of tightening the code against attackers continues, both inside the company and now outside. “That is why we are opening up our bug bounty program, so our security team can hear more feedback,” Boutros says.

Speaking of bugs and features, Snapchat believes that its security practices belong in the latter bucket. “We actually consider it a competitive advantage that we care that much about users’ privacy and security,” says Sehn. “We care enough to delete their data. That is something that most companies don’t do because that data is valuable. It costs us something to do that. So it’s definitely part of the ethos that has been there since the start.”

Photos by David Walter Banks

Follow Backchannel: Twitter | Facebook