Instagram's Weak Data Protection Causes More Privacy Problems for Facebook

Poor privacy practices have Facebook in hot water, again. This time, Facebook can thank its Instagram team for what's sure to be a PR nightmare. Business Insider just released a scathing investigative report:

"A combination of configuration errors and lax oversight by Instagram allowed one of the social network's vetted advertising partners to misappropriate vast amounts of public user data and create detailed records of users' physical whereabouts, personal bios, and photos that were intended to vanish after 24 hours."

If this sounds eerily similar to Facebook's Cambridge Analytica scandal, it is. The partner company responsible for scraping the data is Hyp3r, a self-described "location-based marketing Platform." Hyp3r maintains a massive database, largely made up of data scraped from public Instagram posts and profiles, to offer targeted ads to consumers in certain locations. For example, if you post a selfie at the Eiffel Tower, a Hyp3r-driven ad might persuade you to check-in to a hotel in the area or visit a nearby restaurant.

The odd thing about Hyp3r's data scraping is its unashamed public admission of its practices. Hyp3r advertises "a unique dataset of hundreds of millions of the highest value consumers in the world" most of which come from Instagram. It's App Store listing shows Instagram screenshots showing where Hyp3r scrapes location data from Instagram posts.

Neither Instagram nor Hyp3r customers seemed to care about these practices until now. Hyp3r has been a Facebook Marketing Partner (an exclusive list of fully vetted companies that have access to various Facebook and Instagram marketing APIs). Further, big-name customers like Marriott, Pepsi, Hard Rock, and others use Hyp3r and publicly support it. Fast Company, Cannes Lions, Visa, and others have all awarded the company with innovation awards, and it just raised $17 million in new funding less than a year ago.

Only now, after Business Insider brought Hyp3r's practices to Instagram's attention does anyone seem to care. So what are these practices? Here are some highlights from the Business Insider report:

  • Hyp3r created a tool that could "geofence" specific locations and then harvest every public post tagged with that location on Instagram
  • If a user makes a post at one of these locations, it is, unbeknownst to them, saved to Hyp3r's systems indefinitely
  • Hyp3r built a tool to collect Instagram stories, which are supposed to disappear in 24 hours, and the images are saved indefinitely, along with image metadata
  • The harvested Instagram data is combined with data collected elsewhere, and from previous Instagram posts to specifically target Instagram users

Do these practices violate terms of service? Instagram says "yes". Hyp3r says "no". Instagram is most likely right as the terms exist today. But, prior to the Cambridge Analytica scandal, Hyp3r's practices would have been permitted. For the time being Facebook has terminated Hyp3r from its Facebook Marketing Partner program. Keep an eye out for updates as this story progresses.

Be sure to read the next Privacy article: Facebook Deprecating Legacy Instagram API in Favor of Facebook Graph API