The IT Nerd

Vice has a report that based on ‘multiple sources’ and a cache of internal emails, Snapchat employees were spying on users:

Two former employees said multiple Snap employees abused their access to Snapchat user data several years ago. Those sources, as well as an additional two former employees, a current employee, and a cache of internal company emails obtained by Motherboard, described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user’s Story).

And:

One of the internal tools that can access user data is called SnapLion, according to multiple sources and the emails. The tool was originally used to gather information on users in response to valid law enforcement requests, such as a court order or subpoena, two former employees said. Both of the sources said SnapLion is a play on words with the common acronym for law enforcement officer LEO, with one of them adding it is a reference to the cartoon character Leo the Lion. Snap’s “Spam and Abuse” team has access, according to one of the former employees, and a current employee suggested the tool is used to combat bullying or harassment on the platform by other users. An internal Snap email obtained by Motherboard says a department called “Customer Ops” has access to SnapLion. Security staff also have access, according to the current employee. The existence of this tool has not been previously reported.

SnapLion provides “the keys to the kingdom,” one of the former employees who described the abuse of accessing user data said.

What makes this really bad is that Snapchat users choose the platform specifically because of its perceived privacy. And what this report proves is that Snapchat users potentially have none. Though the company would rather that you didn’t think about that based on this statement:

A Snap spokesperson wrote in an emailed statement “Protecting privacy is paramount at Snap. We keep very little user data, and we have robust policies and controls to limit internal access to the data we do have. Unauthorized access of any kind is a clear violation of the company’s standards of business conduct and, if detected, results in immediate termination.”

Sure. Right. I’m not buying that and neither should you if you use Snapchat. And once again this highlights that companies like Snap need to be reigned in and regulated. Otherwise this sort of thing will simply keep happening.

First the marketing spin. Snapchat has a new mapping feature. Called Snap Map, it lets users track each other’s movements in real time. Here’s a video of it in action:

Here’s the problem with this feature. When you update Snapchat and get to the Snap Map walkthrough, it mentions sharing your location. But it’s vague on what that exactly means. Thus you may end up enabling this feature and giving all sorts of people access to your location in real time, all the time. Worse yet, a lot of users of Snapchat are under 18, thus you can imagine how horribly sideways this could go with that group of humans.

#Fail.

My advice is to enable “Ghost Mode.” If you’ve already enabled location sharing for Snap Map, tap the settings gear in the top right while viewing the Map, and select Ghost Mode from there. Or just enable it from the get go when you update Snapchat.

You have to wonder what Snapchat was thinking when they came up with this. I suspect that with the potential blowback that this feature will likely generate, they may be rethinking how this feature works right now.

I think it’s safe to say that Snapchat has now officially jumped the shark. That’s because after being hacked and having a rather poor response to it before finally addressing the issue, Snapchat has now had to settle with the FTC over charges that it’s key feature which is that messages that you make disappear after they get viewed didn’t actually work. Here’s what Forbes wrote about the subject:

In a press conference, the FTC’s Assistant Director, Division of Privacy and Identity Protection, Christopher Olson said “if you make promises about privacy you must honor those promises.” He also said there were security flaws that Snapchat should have addressed to “prevent unauthorized user from accessing Snapchat user names and phone numbers.”

As part of the agreement, Snapchat will have to change its messaging to make it more clear that messages don’t necessarily disappear. “Under the terms of its settlement with the FTC, Snapchat will be prohibited from misrepresenting the extent to which it maintains the privacy, security, or confidentiality of users’ information. In addition, the company will be required to implement a comprehensive privacy program that will be monitored by an independent privacy professional for the next 20 years,” according to the FTC.

Any violation of this order will subject the company to civil penalties in the future, Olson said.

Snapchat was contrite via a blog post that went up today, but one has to wonder if the damage is done and if Snapchat is done like dinner. I suspect it is.

The more I write about Snapchat, the less secure it seems to me. Yesterday Snapchat released a new verification system to enhance the security of the app by verifying that you’re a real person. Here are the details from news.com:

After registering with an e-mail address, password, and birth date, you’re presented with a set of nine tiles, some with Snapchat’s familiar ghost mascot and some without.

Your challenge is to tap on the images with the ghosts. Do it successfully, and you gain entry. Otherwise, Snapchat denies your request and prompts you to keep trying.

It sounds great. Except for the fact that in less than 24 hours, it’s been compromised:

 Steve Hickson used his knowledge of how computers recognize images and template matching to show how a computer could foolSnapchat’s new Captcha-style image verification that debuted on Wednesday.

“I spent around 30 minutes writing up some code” to perform the automated recognition and selection task, Hickson said. “With very little effort, my code was able to ‘find the ghost’ in the above example with 100 percent accuracy.”

He explained that after “thresholding” them, which separates an image into color segments, he created feature points on the original ghost template and had his script look for matches in the extracted images.

“If the uniqueness is high enough and enough features are found, we call it a ghost,” he said.

Well, that’s just great. Snapchat hasn’t said anything about this, but you can expect that they’re looking at ways to contain the damage from this latest blow to the security of their application.

You might recall that Snapchat got hacked and 4.6 usernames and partial phone numbers got released to the world. Then when Snapchat responded to this, their response was kind of lame to say the least. Today, a blog post from Snapchat went up that had two things of interest:

This morning we released a Snapchat update for Android and iOS that improves Find Friends functionality and allows Snapchatters to opt-out of linking their phone number with their username. This option is available in Settings > Mobile #.

This update also requires new Snapchatters to verify their phone number before using the Find Friends service.

So, they finally addressed this issue. It took them long enough. But they also did this:

We are sorry for any problems this issue may have caused you and we really appreciate your patience and support.

So they finally apologized. Nice, but it would have meant more if they had apologized when it happened. It might have made their users feel a bit better about the company. But I guess it’s better late than never.