Snap Inc

Overview

Snap Inc is a technology company founded in 2011 by Evan Spiegel, Bobby Murphy, and Reggie Brown while students at Stanford University. The company's flagship product, Snapchat, pioneered the concept of ephemeral messaging, content that disappears after viewing, and has grown to over 800 million monthly active users worldwide as of 2024. Snap went public in March 2017 with a valuation of approximately $24 billion.

Ephemeral Messaging and the Privacy Paradox

Snapchat was marketed from its inception as a privacy-first platform. The core selling point, messages that disappear, attracted users, particularly teenagers and young adults, who wanted to communicate without creating permanent records. This privacy branding has been central to Snap's identity and user acquisition strategy.

However, the reality of Snap's data practices has consistently contradicted this privacy-first branding. The FTC found in 2014 that Snapchat's claims about disappearing messages were deceptive. Content could be saved through screenshots (with varying notification reliability), third-party apps, and by accessing the device's file system. Snapchat collected and transmitted location data and contact lists without adequate disclosure. The gap between the privacy brand and the privacy reality defines Snap's threat profile.

Demographics and Vulnerability

Snapchat's user base skews young. Approximately 75% of 13-to-34-year-olds in the United States use the platform, and it is the most popular social media app among American teenagers. This demographic concentration means Snap's data practices disproportionately affect minors and young adults, populations that privacy regulations increasingly recognize as deserving heightened protection.

Data Collection Practices

Snap collects a broad range of user data, with particular concern around location tracking, biometric data from augmented reality features, and the collection of data from minors.

Location Tracking and Snap Map

Snap Map, launched in 2017, is one of the most granular real-time location broadcasting features on any consumer platform. When enabled, Snap Map displays a user's precise location on a map visible to their friends, updated in real time based on the user's last app usage. Key concerns include:

• Default behavior for new features: While Snap Map requires opt-in, the feature's integration with Stories and other features creates pressure to enable location sharing
• Ghosting ambiguity: Users can enter "Ghost Mode" to hide their location, but the feature's design nudges toward visibility
• Heat Map aggregation: Snap Map's "Heat Map" feature shows aggregated activity hotspots, which can reveal gathering locations for protests, events, and other sensitive assemblies
• Stalking and safety risks: Child safety organizations including the NSPCC have warned that Snap Map's precise location broadcasting creates stalking and grooming risks for teenage users

Location data is collected continuously when the app is active, and Snap's privacy policy permits the use of location data for advertising targeting, analytics, and product improvement.

Augmented Reality and Biometric Data

Snapchat's augmented reality (AR) lenses, one of the platform's most popular features, require real-time facial mapping to function. This processing captures facial geometry data that constitutes biometric information under laws like Illinois' Biometric Information Privacy Act (BIPA). Snap processes:

• Facial geometry: Shape, contours, and proportions of the face
• Facial landmarks: Position of eyes, nose, mouth, and other features
• Expression tracking: Real-time mapping of facial movements and expressions
• Body tracking: Newer AR features capture body position and movement data

In August 2022, Snap agreed to a $35 million settlement in Illinois to resolve a class-action lawsuit alleging that Snapchat's lenses collected biometric data without the informed consent required by BIPA. The lawsuit claimed Snap collected faceprints from millions of Illinois users through its AR features without proper notice or consent.

Children's Data Collection

Snapchat's popularity among teenagers raises persistent children's privacy concerns:

• The platform's minimum age is 13, but enforcement relies on self-reported birthdates with no robust age verification
• In October 2023, the UK's Information Commissioner's Office published a Children's Code audit of Snapchat identifying concerns about default privacy settings, location sharing features, and the adequacy of age verification mechanisms
• Snap's "Family Center" parental controls, launched in 2022, provide limited visibility into a child's activity and do not address the underlying data collection from minors

My AI Chatbot

In February 2023, Snap launched My AI, a ChatGPT-powered chatbot integrated directly into the Snapchat messaging interface. My AI raises specific data collection concerns:

• Conversation logging: All interactions with My AI are stored by Snap, creating records of queries, personal disclosures, and interests that expand Snap's user profiles
• Location data integration: My AI can access a user's location to provide contextual responses, adding AI-processed location history to Snap's data holdings
• Minor usage: My AI was made available to all users including teenagers, with no meaningful restrictions on the types of personal information minors could share with the chatbot
• Advertising integration: Snap announced plans to integrate sponsored content into My AI conversations, monetizing the intimate conversational data collected through the feature

In 2023, multiple U.S. state attorneys general raised concerns about My AI's data collection from minors, and several school districts blocked Snapchat on school networks citing the chatbot.

Content Scanning

Despite the ephemeral messaging branding, Snap scans content for multiple purposes:

• Safety and child sexual abuse material (CSAM) detection
• Content moderation and community guidelines enforcement
• Advertising relevance and content classification
• Machine learning training data

Known Clients & Government Contracts

Advertising Platform

Snap's primary commercial relationship is with advertisers. The company generated $4.6 billion in revenue in 2023, virtually all from advertising. Snap's advertising platform offers targeting based on:

• Location (precise and regional)
• Demographics and interests derived from app usage
• Snap Pixel tracking on third-party websites
• Custom audience matching using advertiser-provided data (email lists, phone numbers)

Law Enforcement Requests

Snap processes a significant volume of law enforcement data requests. According to its transparency reports, Snap received over 50,000 legal process requests from U.S. authorities in the first half of 2023 alone. Despite the ephemeral branding, Snap retains metadata about communications including:

• Timestamps of messages sent and received
• Sender and recipient identifiers
• IP addresses and location data associated with messages
• Unopened snaps (retained on servers until opened or expired, typically 30 days)

Snaplion Internal Access Tool

Snaplion is Snap's internal tool for processing law enforcement requests and accessing user data. The tool provides authorized employees with access to user location data, phone numbers, email addresses, and metadata. In 2019, Motherboard reported that Snap employees had abused Snaplion to access user data without legitimate justification. Multiple employees used the tool to spy on users, accessing personal information including location history, saved Snaps, and contact information. Snap confirmed the abuse occurred and stated that the employees were terminated, but the incident exposed the risks of internal access tools at companies with large quantities of sensitive data from young users.

Data Partnerships

Snap has maintained data-sharing partnerships with analytics providers and measurement platforms, sharing advertising performance data, aggregated usage statistics, and in some cases user-level data with partners including:

• Advertising measurement companies
• App attribution platforms
• Aggregated location analytics providers

Privacy Incidents & Litigation

FTC Consent Decree for Disappearing Messages Deception (2014)

In May 2014, the FTC settled charges that Snapchat deceived consumers with claims about the disappearing nature of messages. The FTC found that:

• Snapchat's claim that messages "disappear forever" was false, messages could be saved through multiple means
• Snapchat collected and transmitted users' location data and contact lists despite its privacy policy stating it did not track location
• Snapchat failed to secure the Find Friends feature, leading to a breach in January 2014 that exposed 4.6 million usernames and phone numbers
• The Android version of the app transmitted geolocation data without consent

The consent decree required Snapchat to implement a comprehensive privacy program and submit to independent privacy audits for 20 years. This order remains in effect through 2034.

Snap Map Safety Concerns (2017-Present)

The launch of Snap Map triggered immediate child safety concerns. The UK's NSPCC called the feature "worrying" and warned that it could be used by predators to locate children. Subsequent incidents confirmed these fears:

• Multiple documented cases of stalking facilitated by Snap Map location data
• Reports of bullying based on observing a user's location (e.g., not being invited to gatherings visible on the map)
• Concerns from law enforcement about the feature's utility for tracking individuals

Snaplion Employee Abuse (2019)

The revelation that Snap employees used the internal Snaplion tool to spy on users represented a significant internal access control failure. The abuse was not detected through internal monitoring but was reported by sources to journalists. The incident raised questions about:

• The scope of employee access to user data at Snap
• The adequacy of access logging and anomaly detection
• Whether additional instances of abuse went undetected

Illinois BIPA Settlement, $35 Million (2022)

The $35 million settlement resolved allegations that Snapchat's AR lenses collected biometric facial geometry data from Illinois users without the informed written consent required by BIPA. The case was one of several BIPA actions against technology companies that process facial data, and the settlement amount reflected the scale of Snapchat's biometric data collection from its large, young user base.

UK ICO Children's Code Audit (2023)

The UK Information Commissioner's Office published a detailed audit of Snapchat's compliance with the Children's Code (Age Appropriate Design Code) in October 2023. The audit identified concerns including:

• Default settings that were not sufficiently privacy-protective for child users
• Location-sharing features that created risks for minors
• Inadequate age verification allowing children under 13 to create accounts
• Insufficient transparency in how children's data was used for advertising

Snap agreed to implement changes based on the ICO's findings, but the audit highlighted ongoing gaps in protecting minor users.

My AI Regulatory Scrutiny (2023-Present)

Multiple state attorneys general, including those in Connecticut and New Mexico, raised concerns about My AI's data collection from minors. The attorneys general argued that the chatbot's placement in the messaging interface encouraged children to share personal information, and that Snap had not adequately considered the impact on minors before deploying the feature at scale.

Threat Score Analysis

Snap Inc receives a composite threat score of 52/100, reflecting moderate but persistent privacy concerns concentrated around youth data practices and the gap between privacy branding and actual data collection:

• Data Collection (65/100): Snap collects granular location data, biometric facial geometry through AR features, conversation data through My AI, and standard behavioral and device telemetry. The collection scope is narrower than platforms like Meta or Google, but the concentration of young users means this data disproportionately comes from minors. The My AI chatbot represents a new frontier of conversational data extraction deployed to a young audience.

• Third-Party Sharing (50/100): Snap's third-party data sharing is moderate compared to adtech companies. The platform monetizes user data primarily through its own advertising system rather than wholesale data sales. However, advertising measurement partnerships, the Snap Pixel, and custom audience matching all involve data flowing to third parties. The Snaplion abuse demonstrated that internal sharing controls were insufficient.

• Breach History (45/100): Snap has not suffered a catastrophic data breach, but the 2014 Find Friends exploit (4.6 million accounts), the Snaplion employee abuse, and the FTC's finding that location data was collected deceptively indicate a pattern of data security and governance failures. The relatively contained breach history is mitigated by the sensitivity of the data involved (predominantly from minors).

• Government Contracts (35/100): Snap does not serve as a government contractor and does not sell data to government agencies. However, the volume of law enforcement data requests (50,000+ in a six-month period) and the metadata retention capabilities revealed through the Snaplion tool indicate that Snap functions as a significant source of surveillance data for law enforcement, particularly in cases involving young people.

• Transparency (48/100): Snap publishes transparency reports, maintains a privacy center, and has cooperated with the ICO's Children's Code audit. However, the company's foundational privacy branding around disappearing messages was found to be deceptive by the FTC, establishing an early pattern of overclaiming privacy protections. The limited transparency around My AI data practices and the delayed disclosure of the Snaplion abuse indicate that transparency is reactive rather than proactive.

Weighted calculation: (65 * 0.25) + (50 * 0.25) + (45 * 0.20) + (35 * 0.15) + (48 * 0.15) = 16.25 + 12.5 + 9 + 5.25 + 7.2 = 50.2, adjusted to 52 due to the disproportionate impact on minors and the established pattern of privacy branding that exceeds actual privacy protections.

Transparency & Accountability

Snap occupies an unusual position in the privacy landscape: a company that markets itself on privacy while repeatedly failing to deliver on that promise.

The Ephemeral Messaging Deception

Snapchat's founding value proposition, that messages disappear, was found by the FTC to be false. This foundational deception established a pattern where Snap's public commitments to user privacy serve marketing purposes rather than reflecting actual data practices. The 20-year consent decree is a continuing acknowledgment that Snap's privacy claims require external verification.

Children's Privacy Gap

Despite serving one of the youngest user bases of any major platform, Snap has been slow to implement robust age verification and privacy protections for minors. The UK ICO audit's findings in 2023, nearly a decade after the FTC consent decree, indicated that children's privacy protections remained inadequate. The deployment of My AI to teenage users without specific protections for minors further demonstrated that product velocity consistently outpaces privacy safeguards.

Internal Access Controls

The Snaplion abuse revealed that Snap's internal controls over access to user data were insufficient to prevent employee misuse. For a platform serving primarily young users, the failure to adequately restrict and monitor internal access to sensitive data, including location history, represents a significant accountability gap.

Improving but Incomplete

Snap has made meaningful improvements including the Family Center parental controls, cooperation with the ICO's Children's Code audit, and updated privacy policies with clearer disclosure. The company's transparency reports are reasonably detailed and published on a regular schedule. However, these improvements consistently lag behind the deployment of new features that create new data collection vectors, leaving Snap in a perpetual cycle of privacy catch-up.

Structural Incentives

Snap's business model depends entirely on advertising revenue, which in turn depends on detailed user profiling. The company's core users, teenagers and young adults, are among the most engaged social media consumers, making their data particularly valuable. This structural incentive to maximize data collection operates in tension with Snap's privacy branding and the heightened protections that regulators increasingly require for younger users.