Recently, a news report said employees of multimedia messaging app Snapchat were using internal tools to violate the privacy rights of users, shining a light on the security threat that can arise from knowledgeable insiders. But the problem of insiders misusing or abusing their access privileges in order to invade the privacy rights of individuals is not new.
In Snapchat’s case, Motherboard reported: “Several departments inside social media giant Snap have dedicated tools for accessing user data, and multiple employees have abused their privileged access to spy on Snapchat users.” Sources and emails obtained by the news outlet, “described internal tools that allowed Snap employees at the time to access user data, including in some cases location information, their own saved Snaps and personal information such as phone numbers and email addresses. Snaps are photos or videos that, if not saved, typically disappear after being received (or after 24 hours if posted to a user’s Story).”
But Snapchat is hardly the first private company to face problems with employees abusing or misusing their security access privileges to violate customers’ privacy. And it is not just technology companies facing these issues.
In 2014, the Indiana Court of Appeals upheld a jury’s verdict against a Walgreen concerning a pharmacy employee who accessed the medical record of a customer and gave the prescription information to the customer’s ex-boyfriend, whom the employee was dating. In the case, Hinchy v. Walgreen Co., et al. (pdf), Walgreen was found liable for negligent supervision and retention and invasion of privacy. In 2015, the court, upon rehearing, affirmed the original decision (pdf).
In 2017, ride-hailing service Uber settled with the Federal Trade Commission and “agreed to implement a comprehensive privacy program and obtain regular, independent audits to settle Federal Trade Commission charges that the ride-sharing company deceived consumers by failing to monitor employee access to consumer personal information and by failing to reasonably secure sensitive consumer data stored in the cloud.” The company had, with little oversight, allowed employees to access a “God View” system that let them track the locations of individual customer riders in real-time.
Last year, NBC News reported Facebook “fired a security engineer who allegedly took advantage of his position to access information he then used to stalk women online.” This firing occurred about the same time that the social-networking company announced dating features on its site. Motherboard followed up with a report where former employees alleged more problems at the company. “One former Facebook worker said when they joined the company multiple people had been terminated for abusing access to user data, including for stalking exes. Another former Facebook employee said that they know of three cases where people were fired because they mishandled data, one of which included stalking.”
Although the above cases concern private companies, there are also stories concerning government employees accessing government databases in order to improperly obtain and misuse individuals’ private data.
A decade ago, a NYC police sergeant pleaded guilty “to illegally entering a federal database and giving information from a terrorist watch list to an acquaintance to use in a child-custody case in Canada,” the New York Times reported. Also in 2009, the Boston Globe reported that the Massachusetts state auditor has found misuse by law enforcement officials of the criminal records system. Police pried into the personal data of Patriots’ quarterback Tom Brady, actor Matt Damon, Boston Celtics player Paul Pierce and others.
In Minnesota, 104 officers from 18 agencies in the state accessed one woman’s driver’s license record 425 times. A 2013 state report later found such misuse was common. In 2014, the National Security Agency’s Inspector General revealed in a letter (pdf) to Sen. Chuck Grassley (R-Iowa) that there were cases “in which NSA personnel intentionally and willfully abused their surveillance authorities.” One case occurred on the insider’s “first day of access” to the signals intelligence (SIGINT) data. The person, a member of the military, “queried six e-mail addresses belonging to a former girlfriend, a U.S. person, without authorization.”
And the cases of insiders abusing their security privileges aren’t confined to the United States. In Canada in 2010, dozens of employees at the Canada Revenue Agency were “caught snooping on their ex-spouses, mothers-in-law, creditors and others by reading confidential tax files,” the Star reported. In New Zealand in 2011, a police officer used his access privileges to obtain and “leak secret information to his wife in a bid to win a custody battle with her ex-husband,” the Herald reported.
What does all of this show? It continues to be a security issue for companies and government agencies, federal and state, because employees can avoid security precautions and access data gathered for other purposes. Government agencies and private companies need to be vigilant about the security threats that come from the inside, from trusted employees.
Individuals have little recourse when such privacy breaches occur. Some will file lawsuits, but those take time and money. Sometimes, enforcement agencies will investigate, but that also takes time. And there is no overall federal privacy oversight agency, as I have detailed.
What needs to happen? Government agencies and companies need to train all employees on appropriate use of private data, and there must be security protections in place in case employees choose to ignore their responsibilities. There should be access logs, including the reasons for accessing the information, and such logs should be routinely audited internally and periodically audited by an external monitor.
It is imperative that there be continuous, unexpected audits by outside parties. It is far better to have a trained, trusted outsider assist with improving an agency’s or a company’s security protocols than to have a crime or scandal expose security failures and lead to investigations and lawsuits.