Privacy is a deeply personal concept - its meaning differs across cultures, genders, and geographical regions1. At Snap, we have created a set of privacy pillars that underpin how we design and build our products. Well established privacy frameworks like the Fair Information Practice Principles2, the OECD Privacy Guidelines3, and Ann Cavoukian’s Privacy by Design framework4, together guide the development of Snap’s four privacy pillars:
Design products with privacy in mind
Be responsible stewards of customer data
Provide transparency into what data we store and how we use it
Give our customers meaningful control over their data
To build products in line with these pillars, we have developed a privacy program that steers the entire lifecycle of every Snap product. Starting from the design phase, we evaluate a product's privacy footprint to make sure its customers continue to have the freedom to express and enjoy themselves. During the review, we decide what, if any, data can be collected or inferred. Our default stance is to avoid collecting data unnecessarily, especially private data like 1:1 communications, so we choose to collect the minimum amount of data needed to provide a service, rather than the "collect everything" mentality that many in the industry have today. When we must retain data, we store it with state-of-the-art security safeguards for the least amount of time needed. The design phase also covers how customers should have transparency and control over their data. Once the design is complete, we build and maintain the feature with various checks and balances to make sure the implementation adheres to the privacy guidance.
Snap's privacy program mandates privacy reviews for all new features and services as well as any changes to existing features or services that in any way touch customer data. Our program is unique and successful because everyone participates in it - Designers, Engineers, Product Managers, Product Counsels, and Privacy Engineers. The review is primarily driven by Product Counsels, who are attorneys with expertise in product privacy, and Privacy Engineers, who come with advanced degrees in privacy technologies.
As part of the review, we vet each feature against our privacy philosophy. Product Counsels evaluate what data we can collect or infer and whether its purposes are aligned with the law, our philosophy, and our privacy policy. Privacy Engineers play the role of white-hat hackers attempting to break the privacy of a given feature, and often come up with novel privacy-preserving alternatives. At times, the review results in detailed engineering recommendations for the feature team. For example, we may recommend adding noise in a differentially private manner to prevent a calculation from being overly influenced by a single person’s data. The review process ensures that potential privacy vulnerabilities are discovered and remediated during the design phase itself.
Privacy reviews are requested automatically through our agile software development system (Jira). When an employee starts the workflow for a new feature, the system automatically generates review subtasks and assigns them to a designated Product Counsel and Privacy Engineer.
We have also built a proprietary tool, PASS (Privacy ASsessment System), that helps navigate the review process. This tool provides a platform for Engineers and Product Managers to enter what data a feature uses, where it is stored, how long it is retained, and how it is used. Reviewers then analyze the information and actively discuss the requirements before formally completing the review. Upon completion, the tool locks itself, preventing any further edits.
The review tool also helps reviewers make more informed decisions by providing timely contextual cues. For example, in the screenshot of the tool below, a reviewer can find links to ten prior instances where a BigQuery table was accessed. Such cues empower reviewers to find necessary information from past reviews and provide better and quicker guidance.
Designing a feature in a privacy-safe manner is one part of the process. The next step is making sure the feature is implemented in accordance with the privacy guidance. This is achieved both pre-release and post-release of the feature.
Pre-release verification certifies that the code matches its design even before it reaches our customers. This is critical for customer-facing features that have privacy implications. For example, a feature requiring explicit consent from Snapchatters is verified by a dedicated Test Engineer. To make this seamless, our review tool allows creation of privacy verification tasks with the click of a button.
In some cases, Privacy Engineers work directly with Software Engineers to review or even implement parts of the code. Such close collaboration eliminates a single-point-of-failure, which is crucial when privacy guarantees rely on a bug-free implementation. To illustrate, if a Privacy Engineer proposes adding Laplacian noise with specific parameters to provide differential privacy for a feature, they may also review the corresponding code change.
Post-release verification ensures the implementation remains in line with the privacy guidance as long as the feature remains live. Part of this is achieved through rigorous testing. Say, in addition to pre-release verification, Test Engineers may set up on-device automated tests to keep verifying the requirements for future releases.
We have also invested in building tools that monitor various aspects of the data lifecycle post feature release. For example, we have developed a tool that automatically classifies the data present in the datastores of various Snap products, mapping it to a list of known data types (e.g., IP Address, Username, etc.) - this helps us be responsible stewards of customer data.
Finally, we encourage all employees to be privacy-conscious and report any other privacy issues that they uncover during day-to-day work . This allows us to detect issues sooner rather than later. We also run a bug bounty program on HackerOne to detect and address outstanding issues before external adversaries can take advantage of them.
Our goal is to make Snapchat and other Snap products a unique experience, where you always feel in control of your privacy and where you can communicate without worry. To build this reality for hundreds of millions of people everyday, we embraced a very principled and radical privacy philosophy - and tasked our Product Counsels and Privacy Engineers with making these principles come true.