What technical evidence exists about client‑side vs server‑side key storage for Snapchat Memories and My Eyes Only?

1. What Snapchat says: server backup plus an encrypted “vault”

Snapchat’s product pages and help documentation describe Memories as backed up to Snapchat’s servers and present My Eyes Only as an encrypted area protected by a user‑chosen passcode, with Snap warning that it cannot help recover lost passcodes ^{[1] [2] [6]}. Those public statements establish two facts: Memories are stored in the cloud under Snap’s service and MEO adds an additional passcode gate that the company frames as increasing user control and privacy ^{[1] [2] [6]}.

2. Forensic and practitioner signals: client‑side access to encrypted MEO items

Independent forensic discussions and tooling indicate that MEO items can be located in device caches and—under some conditions—recovered and decrypted by forensic tools such as AXIOM, which claims support for decrypting MEO content from iOS and Android extractions ^[3]. Forum posts by practitioners explicitly state they have recovered and decrypted MEO pictures and some video frames from device images and suggest that Snap, Inc. cannot decrypt certain locally stored MEO items, implying the device holds the necessary material to unlock them or that the passcode can be used to derive a key on the client ^[3].

3. Reconciling the two narratives: plausible architectures consistent with available evidence

The combination of Snap’s statements (cloud backups, a passcode‑protected MEO) and forensic recoveries is most consistent with an architecture where Memories are stored on Snapchat’s servers as encrypted blobs while the MEO passcode functions as a client‑side secret used to derive or unlock a key that encrypts/decrypts MEO items on the device; that would allow Snap to host the encrypted data but not possess the plaintext without the derived key ^{[1] [4] [2] [3]}. However, none of the provided sources includes a Snap‑published cryptographic whitepaper or key‑management description that proves this design definitively, so this remains an inference based on public claims plus practical forensic observations ^{[1] [3] [5]}.

4. Conflicting claims, hidden agendas, and limits of reporting

Commercial explainers and how‑to guides often simplify or overstate privacy guarantees—claiming Snap “cannot access” MEO or that encryption guarantees absolute secrecy—without citing technical proofs ^{[7] [8]}. Forensic posts come from practitioners with incentives to explain recoverability for law enforcement or customers, which can bias emphasis toward client‑side recoveries ^[3]. Crucially, none of the supplied sources publishes Snap’s server‑side key policies, audit logs, or source‑level cryptography, so the article cannot prove whether Snap retains any server‑side key escrow, split‑key schemes, or operational access to plaintext in edge cases such as backups, legal process, or internal debugging ^{[1] [5]}.

5. Bottom line: what technical evidence exists and what it means for users

Available technical evidence is indirect but consistent: Snap stores Memories in the cloud (Snap’s docs) and presents MEO as passcode‑gated encryption ^{[1] [2]}, while independent forensic work shows MEO content can be recovered and decrypted from device artifacts ^[3], which strongly suggests key material or derivation occurs or is available on the client. There is no publicly available, authoritative Snap cryptographic specification in the provided reporting to conclusively show whether keys are exclusively client‑held, split with servers, or accessible to Snap under specific conditions, so firm conclusions about server‑side key storage cannot be drawn from the sources at hand ^{[1] [3] [5]}.