This Instagram Trusted Partner Scraped Users Stories and Tracked Their Locations Courtesy of Its Sloppy Privacy Practices

Instagram Feed

Instagram FeedFacebook is still failing to protect users privacy, especially on Instagram. Facebook still allows user data to be collected without their consent. A San Francisco startup which is an Instagram trusted partner has been illegally saving users stories and tracking their locations.

HYP3R, the startup doing the scraping was one of Instagram’s important advertising partners but they took advantage of the incompetent privacy policies Instagram has to build detailed records of users Stories which are supposed to disappear after 24 hours, their personal descriptions, and locations.

According to Business Insider, the firm says it collects up to one million Instagram posts a month and 90% of the data they scrape is from the giant photo and video sharing platform. The company did this by:

• Taking advantage of an Instagram security lapse, allowing HYP3R to zero in on specific locations, like hotels and gyms, and scrape up all the public posts made from the said locations.
• Using these locations, HYP3R saved users’ public Instagram Stories, a clear violation of Instagram terms of service.
• Scrapped public user profiles including their bios and followers, which it then combined with the other location information and data from other sources
• They also used image recognition software on the users’ posts it collects to automatically show what’s in the pictures.

HYP3R used a geofence tool they created to harvest public posts tagged with a specific location. This means sthga once a place is tagged whether a hotel or hospital, that post gets saved to their database without their knowledge. The location data is not the only detail saved but also your profile picture, bio and number of followers.

For Stories, since Instagram doesn’t offer API that accesses this feature, HYP3R built a tool that collects them. The saved stories will include their metadata. Instagram let’s developers access Stories of business accounts but are restricted to accessing locations.

The detailed collections gave them complete profiles of millions of users and their habits and businesses their visit.

This practice by HYP3R is against Instagram’s rules and the irony is that the marketing firm is one of its most preferred partners.

Instagram is a Facebook-owned platform that most users prefer to share personal photos such as family vacations or relationship milestones and this recent revelation is a worrying call especially if your profile is public.
Instagram is testing hiding likes from photos which made teens and other underage users are now switching to business profiles to get more statistics from their photos thus sacrificing privacy for validation and the switch comes with unintended privacy consequences.

Early this year it was also revealed that influencers, celebrities and brands contact info was also being scraped and Facebook is yet to tighten up the privacy it should offer its users on Instagram especially regarding what user data third-party partners can have access to using Instagram’s API.

Instagram has a publicly available JavaScript package that bundles up various data bits to an easily accessible format by just appending a short string of characters to any Instagram photo URL. Scaringly enough, no login or authentication is needed.

HYP3R did the scraping the web version of the app which contains an easily parsable and inline JSON with the location of the posts.

The location-based platform, HYP3R says it didn’t violate any rules arguing that accessing public data on Instagram is justifiable. The firm said it didn’t collect any data from user profiles set to private.

What Instagram is doing

Instagram has since sent HYP3R a cease-and-desist letter after Business Insider shared these findings with them. Instagram adds that they’ve made a product change that should help prevent other companies from scraping public location pages in this manner.

Instagram has also made a change prevents public pages locations from being made available to logged out users.

They have also removed HYP3R’s access to its Instagram API and from Facebook’s lists of marketing partners.

Keep up with everything Instagram here.


Comments are closed.