What technical evidence shows whether My Eyes Only encryption is client‑side versus server‑accessible by Snapchat?

1. What Snapchat and official materials say: vendor claims of client-side protection

Snapchat’s own product and privacy documentation describes My Eyes Only as a feature that “lets you keep your Snaps safe and encrypted, and protected behind a password you choose,” and explicitly states that without the password “no one can view the things you saved on My Eyes Only — not even us,” which supports the vendor-position that decryption depends on a client-held secret rather than a server-held key ^{[3] [5]}.

2. Independent guides and help sites: consensus on local key derivation and irrecoverability

Multiple independent guides and help articles summarize the technical implication: when media are moved to My Eyes Only they are encrypted locally using a key derived from the user’s passcode and Snapchat does not store a recoverable copy of that passcode or key; as a result resetting the passcode deletes the vault contents and forgetting the passcode is effectively irreversible—an operational hallmark of client-side key management ^{[1] [2] [6]}.

3. What’s unspecified: algorithms and exact key handling remain opaque

While sources lean toward AES-like symmetric encryption with a passcode-derived key, Snapchat has not publicly published a detailed cryptographic whitepaper or exact algorithm/cipher-suite and key-derivation parameters in the material supplied here, so reports that say “likely AES-256” should be treated as reasoned inferences rather than confirmed technical specifications ^[2].

4. Forensic evidence and practical exceptions: caches, viewed media, and device acquisition

Digital forensics vendors and practitioners report that My Eyes Only content can sometimes be recovered in practice when the snaps have been viewed locally, cached, or extracted from device backups or tools like GrayKey/AXIOM; that empirical recovery is consistent with the data being encrypted at rest but still producing recoverable plaintext copies in device caches or backups—circumstances that do not contradict client-side encryption but show real-world exceptions to “never accessible” when device-level access or prior plaintext exposure exists ^[4].

5. Alternative and skeptical viewpoints: server access and key retention for other Snapchat data

A contrary technical note in the dataset reminds that Snapchat does retain encryption keys or server-side access for some message types and that not all Snapchat data is end-to-end encrypted; this means the platform’s broader encryption posture is mixed and one cannot generalize “Snapchat can’t access any data” across all features—the My Eyes Only claims are feature-specific and should be evaluated separately from the service’s handling of regular chats and stored memories ^[7].

6. Security trade-offs and threat model: malware, device compromise, and user responsibility

Even if My Eyes Only is implemented as client-side encryption, it inherits the device’s security posture: a compromised or malware-infected phone can expose the passcode or decrypted media, and because Snapchat does not provide a passcode recovery mechanism the user bears the operational risk of losing access permanently—facts emphasized in help guides and privacy writeups ^{[2] [1] [6]}.

7. Bottom line and reporting limitations

Taken together, the most direct technical evidence in these sources supports the position that My Eyes Only is primarily client-side encrypted—Snapchat and multiple third-party guides state that keys are derived from a local passcode and not retained in a recoverable form by Snapchat—yet exact cryptographic parameters are not published here and forensic recoveries from caches or compromised devices demonstrate practical exceptions rather than server-side decryption by Snapchat itself ^{[3] [2] [4] [1] [7]}.